https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/may-this-cmd-for-password-query-could-find-into-a-content-update/m-p/523216#M3215 <P><A href="https://twitter.com/VirtualAllocEx/status/1599048829084794880?s=20&amp;t=V1OyrvuCbhYez-wkSXNk1A" target="_blank">https://twitter.com/VirtualAllocEx/status/1599048829084794880?s=20&amp;t=V1OyrvuCbhYez-wkSXNk1A</A></P> <P>&nbsp;</P> <P>Or ist there a rule ready for this?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Sat, 03 Dec 2022 22:25:35 GMT RFeyertag 2022-12-03T22:25:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/may-this-cmd-for-password-query-could-find-into-a-content-update/m-p/523216#M3215 <P><A href="https://twitter.com/VirtualAllocEx/status/1599048829084794880?s=20&amp;t=V1OyrvuCbhYez-wkSXNk1A" target="_blank">https://twitter.com/VirtualAllocEx/status/1599048829084794880?s=20&amp;t=V1OyrvuCbhYez-wkSXNk1A</A></P> <P>&nbsp;</P> <P>Or ist there a rule ready for this?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Sat, 03 Dec 2022 22:25:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/may-this-cmd-for-password-query-could-find-into-a-content-update/m-p/523216#M3215 RFeyertag 2022-12-03T22:25:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/may-this-cmd-for-password-query-could-find-into-a-content-update/m-p/523222#M3218 <P><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Thank you for writing to XDR live community!</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>You can create your own </SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule" target="_blank" rel="noopener"><SPAN>custom BIOC rule</SPAN></A><SPAN> to detect this attempt to discover unsecured credentials in the registry.</SPAN><SPAN><BR /><BR /></SPAN></P> <P>&nbsp;</P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Start by logging in to your XDR tenant and Choose Detection Rules → BIOC</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>In the BIOC rules page choose ‘add BIOC’ at the top right of your screen.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>&nbsp;Next, select to create a Process based BIOC and apply the following filters:</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>name = reg.exe</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>cmd =~.*query.*password.*</SPAN></LI> </OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Click ‘Save’.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>You will now be prompted to name your new BIOC rule and, choose: type, severity level and associated MITRE techniques and tactics:</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Type:‘Credentials Access’.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Technique:T1214 - Credentials in Registry</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Tactic: TA0006 - Credential Access</SPAN></LI> </OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Click save.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><BR />Attaching screenshots below for your convenience .<BR /><SPAN>You should now have a custom BIOC to help you discover potential attempts to unsecure credentials in the registry.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Hope this helps!</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN></LI> </OL> <P><SPAN><BR /><BR /></SPAN></P> Sun, 04 Dec 2022 19:24:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/may-this-cmd-for-password-query-could-find-into-a-content-update/m-p/523222#M3218 mavraham 2022-12-04T19:24:57Z