https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-portproxy-enabled-allow-a-man-in-the-middle-attack/m-p/585073#M6604 <P>Hi<BR /><BR />Does anyone know if <LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;detect and/or protect against this type of attack:</P> <P>&nbsp;</P> <P><A href="https://www.syxsense.com/syxsense-securityarticles/disa_stig_benchmarks/syx-1036-13731.html?agt=index" target="_blank">Windows 10 must not have portproxy enabled or in use (syxsense.com)</A></P> Fri, 26 Apr 2024 14:59:25 GMT tlmarques 2024-04-26T14:59:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-portproxy-enabled-allow-a-man-in-the-middle-attack/m-p/585073#M6604 <P>Hi<BR /><BR />Does anyone know if <LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;detect and/or protect against this type of attack:</P> <P>&nbsp;</P> <P><A href="https://www.syxsense.com/syxsense-securityarticles/disa_stig_benchmarks/syx-1036-13731.html?agt=index" target="_blank">Windows 10 must not have portproxy enabled or in use (syxsense.com)</A></P> Fri, 26 Apr 2024 14:59:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-portproxy-enabled-allow-a-man-in-the-middle-attack/m-p/585073#M6604 tlmarques 2024-04-26T14:59:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-portproxy-enabled-allow-a-man-in-the-middle-attack/m-p/585095#M6607 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>I did a test in my lab by modifying the registry as mentioned in the link, and it was not detected by the XDR Agent as malicious.</P> <P>In this cases you can create custom BIOCs to detect this behaviors that might not be malicious by themselves.</P> <P>I have created this custom BIOC rule that you can apply in <STRONG>Detection Rules - BIOC - Add Bioc</STRONG> to detect modifications to this registry key.</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = xdr_data | filter event_type = ENUM.REGISTRY and event_sub_type = ENUM.REGISTRY_CREATE_KEY | filter action_registry_key_name contains """HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PortProxy\\"""</LI-CODE> <P>&nbsp;Tested and working as expected:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1714161955058.png" style="width: 325px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59322i381E006FCD4A0E9F/image-dimensions/325x519/is-moderation-mode/true?v=v2" width="325" height="519" role="button" title="jmazzeo_0-1714161955058.png" alt="jmazzeo_0-1714161955058.png" /></span></P> <P>You can even add the BIOC to a Restriction Profile and block the process doing the registry modification.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Fri, 26 Apr 2024 20:07:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-portproxy-enabled-allow-a-man-in-the-middle-attack/m-p/585095#M6607 jmazzeo 2024-04-26T20:07:18Z