OriginalFileName from VERSIONINFO in Cortex XDR Pro

RFeyertag — Sun, 02 Apr 2023 00:02:39 GMT

Hey dear community,

Threat actors often rename apps. Like a.exe instead of anydesk.exe. But they do not change the versioninfo.

https://www.youtube.com/watch?v=oMAvSpq9fYY --> Minute 37

Is it possible to track this with cortex xdr pro?

Rob

Re: OriginalFileName from VERSIONINFO in Cortex XDR Pro

KanwarSingh01 — Sun, 02 Apr 2023 04:29:07 GMT

Hi,

I think you can use something like below to track/hunt for the use case in question:

config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.LOAD_IMAGE and event_sub_type = ENUM.LOAD_IMAGE_MODULE | alter File_Version = json_extract_scalar(action_module_file_info,"$.file_version") | alter Product_Version = json_extract_scalar(action_module_file_info,"$.product_version") | alter Company = json_extract_scalar(action_module_file_info,"$.company") | alter Description = json_extract_scalar(action_module_file_info,"$.description") | alter internal_name = json_extract_scalar(action_module_file_info,"$.internal_name") | alter original_name = json_extract_scalar(action_module_file_info,"$.original_name") | alter only_exe = arrayindex(regextract(action_module_path,"^.+\\(.*?)$"),0) | filter only_exe contains ".exe" | fields only_exe as Filename, internal_name, original_name, File_Version, Company, Product_Version, Description, actor_process_image_name as Process, action_module_path as Path | limit 500

I have seen XDR in live where renaming instance of cmd.exe to something else and executing commands alerts in XDR.

Re: OriginalFileName from VERSIONINFO in Cortex XDR Pro

RFeyertag — Fri, 07 Apr 2023 23:00:16 GMT

Thank you very much!

Rob

topic OriginalFileName from VERSIONINFO in Cortex XDR Pro in Cortex XDR Discussions

OriginalFileName from VERSIONINFO in Cortex XDR Pro

Re: OriginalFileName from VERSIONINFO in Cortex XDR Pro

Re: OriginalFileName from VERSIONINFO in Cortex XDR Pro