https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556849#M5097 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>!</P> <P>&nbsp;</P> <P>it would be nice if there could be a new rule for process which is not browser communicating to steamcommunity and/or t.me. And this rule should terminate this process.&nbsp;</P> <P>Because wildfire is not getting a 300 MB scr file to analyze. So it flew completely under the radar.&nbsp;</P> <P>This is one of the best evasion technique I've ever seen and I am a little bit proud that I detected it with much efort creating new rules to detect this peace of best stealer trojan.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 06 Sep 2023 20:53:40 GMT RFeyertag 2023-09-06T20:53:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556567#M5087 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>got an 2 hour infection on a fat client from this&nbsp;<A href="https://www.virustotal.com/gui/file/79e3e243726a8b29b4cf74576e364ce98dfadb5bd182d8d1ed55255e70defc2c/details" target="_blank">https://www.virustotal.com/gui/file/79e3e243726a8b29b4cf74576e364ce98dfadb5bd182d8d1ed55255e70defc2c/details</A></P> <P>This little guy was evading cortex xdr pro.&nbsp;</P> <P>Whatch out and fill your blocklist, because they getting better and better.&nbsp;</P> <P>&nbsp;</P> <P>Initial access was a google drive link and the pw protected rar/zip with about 120 MB size.&nbsp;</P> <P>&nbsp;</P> <P>If you are interested with wich self made bioc we detected it let me know.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Tue, 05 Sep 2023 16:15:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556567#M5087 RFeyertag 2023-09-05T16:15:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556765#M5093 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>,</P> <P>&nbsp;</P> <P>Thanks for sharing this with the community!</P> Wed, 06 Sep 2023 14:48:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556765#M5093 anlynch 2023-09-06T14:48:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556849#M5097 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>!</P> <P>&nbsp;</P> <P>it would be nice if there could be a new rule for process which is not browser communicating to steamcommunity and/or t.me. And this rule should terminate this process.&nbsp;</P> <P>Because wildfire is not getting a 300 MB scr file to analyze. So it flew completely under the radar.&nbsp;</P> <P>This is one of the best evasion technique I've ever seen and I am a little bit proud that I detected it with much efort creating new rules to detect this peace of best stealer trojan.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 06 Sep 2023 20:53:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/556849#M5097 RFeyertag 2023-09-06T20:53:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/557084#M5108 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;<BR /><BR /><SPAN>For Cortex XDR coverage information, please submit a TAC case and share your observation and workaround you did on the same for team to review and update.</SPAN></P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Fri, 08 Sep 2023 02:13:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/true-positive-no-incident-evasion-self-made-alerts-helped-to/m-p/557084#M5108 PiyushKohli 2023-09-08T02:13:45Z