https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/561404#M5325 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/308232">@aspatil</a>&nbsp;<BR /><BR />Hash of the File : ee998a9733c34f4aaf428db9db744fa7c1249f6e2874f1e2c4f621938b8269f6<BR />Microsoft Signed "msiexec.exe" process<BR /><BR />I'm not saying it is signed by cortex.<BR /><BR />My question is <BR />Why the Microsoft signed EXE's are getting renamed and getting saved in "C:\Sysmon\" folder ?</P> Thu, 12 Oct 2023 09:47:55 GMT CUppin 2023-10-12T09:47:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/554968#M5041 <P>From few days getting the alerts under the "Masquerading" alert name. when we analyzed we observed there is a .exe file creation in the sysmon folder with the long string "<SPAN class="simple-value ng-star-inserted" title="C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe">C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe</SPAN>" <BR /><BR />Initiator CMD:</P> <DIV class="ag-cell-value ag-cell ag-cell-not-inline-editing ag-cell-normal-height ag-cell-focus" style="left: 3950px; width: 3200px;" tabindex="-1" role="gridcell" aria-colindex="19"> <DIV class="secdo-cell-container"> <DIV class="items ng-star-inserted"><SPAN class="list-text-item items ng-star-inserted" title="C:\Windows\system32\msiexec.exe /V"><SPAN class="list-text-item items ng-star-inserted" title="C:\Windows\system32\msiexec.exe /V"> C:\Windows\system32\msiexec.exe /V <BR /><BR />Initiator Path<BR /></SPAN></SPAN> <DIV class="ag-cell-value ag-cell ag-cell-not-inline-editing ag-cell-normal-height ag-cell-focus" style="left: 2600px; width: 1350px;" tabindex="-1" role="gridcell" aria-colindex="18"> <DIV class="secdo-cell-container"> <DIV class="items ng-star-inserted"><SPAN class="list-text-item items ng-star-inserted" title="C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe"> C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe <BR /><BR />XDR is detecting under the behavioral threat .<BR /><BR />Why exe files are creating under the "sysmon folder' with very long string.<BR /><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;<BR /></SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <P><BR /><BR /><BR /></P> Thu, 24 Aug 2023 02:28:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/554968#M5041 CUppin 2023-08-24T02:28:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/555719#M5056 <P>Hello,</P> <P>&nbsp;</P> <P>Can you please help us with the hash value of&nbsp;<SPAN>"C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe"</SPAN></P> <P>&nbsp;</P> <P>What makes you think this is a XDR Application? Can you please check the App details and see if this app is signed by Palo Alto Networks?</P> Tue, 29 Aug 2023 14:01:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/555719#M5056 aspatil 2023-08-29T14:01:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/561404#M5325 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/308232">@aspatil</a>&nbsp;<BR /><BR />Hash of the File : ee998a9733c34f4aaf428db9db744fa7c1249f6e2874f1e2c4f621938b8269f6<BR />Microsoft Signed "msiexec.exe" process<BR /><BR />I'm not saying it is signed by cortex.<BR /><BR />My question is <BR />Why the Microsoft signed EXE's are getting renamed and getting saved in "C:\Sysmon\" folder ?</P> Thu, 12 Oct 2023 09:47:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/561404#M5325 CUppin 2023-10-12T09:47:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/562284#M5374 <P>Do you have file deletion protection enabled in your SysMon config xml?&nbsp;</P> Wed, 18 Oct 2023 15:55:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-masquerading-incident/m-p/562284#M5374 eumbach 2023-10-18T15:55:30Z