https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482038#M1908 <P>Hello Cortex users, wondering if anyone has seen this before?&nbsp; We are getting a single host flagged with a large amount of "<SPAN>Behavioral threat detected (rule: create_renamed_script_engine_by_hash)" but when we investigate in Cortex XDR there is almost no information to go on.&nbsp; The process shows ::1 for the value, no path, command, PID, TID, MD5.&nbsp; Signature is unavailable. It's not giving us much to go on.</SPAN></P><P>&nbsp;</P><P><SPAN>We looked at the host and didn't see anything in particular in the System/Application/Security event logs, nothing repeating at the times the events fires.&nbsp; We were seeing it up to every about 5 minutes last night.</SPAN></P><P>&nbsp;</P><P><SPAN>Any guidance on what we can zero in on, I can't find any other references to this specific alert.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P> Fri, 22 Apr 2022 16:42:44 GMT SGarringer 2022-04-22T16:42:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482038#M1908 <P>Hello Cortex users, wondering if anyone has seen this before?&nbsp; We are getting a single host flagged with a large amount of "<SPAN>Behavioral threat detected (rule: create_renamed_script_engine_by_hash)" but when we investigate in Cortex XDR there is almost no information to go on.&nbsp; The process shows ::1 for the value, no path, command, PID, TID, MD5.&nbsp; Signature is unavailable. It's not giving us much to go on.</SPAN></P><P>&nbsp;</P><P><SPAN>We looked at the host and didn't see anything in particular in the System/Application/Security event logs, nothing repeating at the times the events fires.&nbsp; We were seeing it up to every about 5 minutes last night.</SPAN></P><P>&nbsp;</P><P><SPAN>Any guidance on what we can zero in on, I can't find any other references to this specific alert.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P> Fri, 22 Apr 2022 16:42:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482038#M1908 SGarringer 2022-04-22T16:42:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482163#M1909 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217244">@SGarringer</a>&nbsp;What cortex licenses version are you using? Seems Prevent.</P><P>&nbsp;</P><P>Can you take a look at the prevention folder in c:\ProgramData\Cyvera\Prevention Folders and look into the prevention alert which is generated around that time, this will give a little bit of more information for your investigation around the alert.</P><P>&nbsp;</P><P>According to me this alert triggers when you have a hash of a process which is similar to wscript.exe, cscript.exe, cmd.exe or powershell.exe (scripting engine process) but the "<STRONG>process name"</STRONG> is not a scripting engine process but has a <STRONG>same hash</STRONG> value. When triggered by a suspicious parent process as setup in PA Cortex defined rule set.</P><P>&nbsp;</P><P>hash of cmd.exe == hash of blahh.exe (Trigger Rule.) if the parent is x, y or z.exe (Something like this.)</P><P>List of scripting engine:</P><P><A href="https://attack.mitre.org/techniques/T1059" target="_blank">https://attack.mitre.org/techniques/T1059</A></P><P>&nbsp;</P><P>You will come to know more about the story when you take a look at the prevention alert data in the folder which i have mentioned.</P> Sun, 24 Apr 2022 01:08:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482163#M1909 KanwarSingh01 2022-04-24T01:08:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482401#M1914 <P>This was exactly the information we needed.&nbsp; In this case it was an SCCM folder that we needed to exclude as per best practices from Microsoft.&nbsp; We've done that now and hopefully that will resolve the issue.&nbsp; It's unfortunate that the file information doesn't flow back into Cortex XDR for easy viewing and instead we have to pull these files.&nbsp; I'm new to supporting Cortex XDR Protect so that's great to know about the additional info in those files.&nbsp;</P> Mon, 25 Apr 2022 19:40:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/where-to-get-more-information-on-quot-behavioral-threat-detected/m-p/482401#M1914 SGarringer 2022-04-25T19:40:27Z