https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/995927#M7518 <P>It was from: XDR Analytics BIOC</P> Mon, 02 Dec 2024 08:55:29 GMT Panagiss 2024-12-02T08:55:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/847149#M7493 <P>Hi,<BR /><BR />I got an alert "Globally rare process execution from a signed process" and after investigating the process is <SPAN class="cell-value-text ng-star-inserted" title="C:\Windows\System32\SynRpcServer.exe">SynRpcServer.exe</SPAN></P> <DIV class="copy-to-clip-box ng-star-inserted" title="Copy to clipboard">which not uncommon and also the host uses a fingerprint sensor so it should all make sense. <BR /><BR />But the interesting parts are on the causality chain are:<BR /><BR /> <DIV class="description-wrapper"> <DIV class="text"> <DIV class="items-list ng-star-inserted"> <UL> <LI class="desc-item ng-star-inserted"><SPAN class="desc-text">SynRpcServer.exe executed "SynRpcServer.exe".</SPAN></LI> <LI class="desc-item ng-star-inserted"><SPAN class="desc-text">T</SPAN><SPAN class="desc-text">he acting process is signed by Synaptics Incorporated.</SPAN></LI> <LI class="desc-item ng-star-inserted"><SPAN class="desc-text">This signed vendor, image name and executed process combination is globally uncommon.</SPAN></LI> </UL> </DIV> </DIV> </DIV> Furthermore the location of the exe is in System32 folder:<BR /><EM>C:\Windows\System32\SynRpcServer.exe</EM><BR /><BR />Hash (of the parent&nbsp;<SPAN class="desc-text">SynRpcServer.exe)</SPAN> 10a416072f3e581e2943f07453c5484e503c47131e48674245564030de2dd531<BR /><BR /><BR />Any thoughts on this?</DIV> Wed, 27 Nov 2024 15:31:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/847149#M7493 Panagiss 2024-11-27T15:31:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/995655#M7506 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/286023">@Panagiss</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>What module is generating the alert? BTP? Analytics?</P> <P>Maybe the fingerprint driver/app has been updated and it is behaving different as before.</P> Thu, 28 Nov 2024 20:13:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/995655#M7506 jmazzeo 2024-11-28T20:13:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/995927#M7518 <P>It was from: XDR Analytics BIOC</P> Mon, 02 Dec 2024 08:55:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/synrpcserver-exe-in-system32-folder/m-p/995927#M7518 Panagiss 2024-12-02T08:55:29Z