https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-defender-and-calc-abuse-for-dll-sideloading/m-p/510632#M2439 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>Has anyone build a xql query for this case:</P> <P>&nbsp;</P> <P><A href="https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/" target="_blank">https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/</A></P> <P>Should this help?</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-execution/m-p/488807#M2019" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-execution/m-p/488807#M2019</A></P> <P>&nbsp;</P> <P>And how do we Set this two queries up?</P> <P>&nbsp;</P> <P>BR&nbsp;</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Aug 2022 21:48:18 GMT Cyber1985 2022-08-02T21:48:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-defender-and-calc-abuse-for-dll-sideloading/m-p/510632#M2439 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>Has anyone build a xql query for this case:</P> <P>&nbsp;</P> <P><A href="https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/" target="_blank">https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/</A></P> <P>Should this help?</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-execution/m-p/488807#M2019" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-execution/m-p/488807#M2019</A></P> <P>&nbsp;</P> <P>And how do we Set this two queries up?</P> <P>&nbsp;</P> <P>BR&nbsp;</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 02 Aug 2022 21:48:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-defender-and-calc-abuse-for-dll-sideloading/m-p/510632#M2439 Cyber1985 2022-08-02T21:48:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-defender-and-calc-abuse-for-dll-sideloading/m-p/510701#M2445 <P>Hi Cyber1985,</P> <P>&nbsp;</P> <P>If you have a Pro per Endpoint license then the Analytics Engine will identify this sort of thing for you, here are some relevant Analytics alerts that can fire:</P> <UL> <LI><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin" target="_self">Execution of a renamed LOLBIN</A>&nbsp;</LI> <LI><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/recurring-access-to-rare-ip" target="_self">Recurring access to a rare IP</A>&nbsp;</LI> <LI><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/powershell-runs-suspicious-base64-encoded-commands" target="_self">PowerShell runs suspicious base64 encoded command</A>&nbsp;</LI> </UL> <P>Each of these alerts will generate incidents if they fire within your tenant.&nbsp; If you want to create your own XQL search you can go to Incident Response -&gt; Query Builder -&gt; XQL Search, here you can paste the query from the second article you linked and then you have the option to Run, Run in Background, Save or Schedule.&nbsp; If you want this to generate alerts if data is returned, you can save it as a correlation rule and it will then be run periodically and can create incidents (depending on the severity you set, medium and high severity generate alerts).</P> <P>&nbsp;</P> <P>If you are a Prevent customer, then you do not have EDR data collection as a feature and will be unable to detect this sort of behavior.&nbsp;&nbsp;</P> Wed, 03 Aug 2022 14:10:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-defender-and-calc-abuse-for-dll-sideloading/m-p/510701#M2445 afurze 2022-08-03T14:10:30Z