topic cortex-xdr-payload.exe access lsass.exe in Advanced Threat Prevention Discussions https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-payload-exe-access-lsass-exe/m-p/1225765#M2421 <P>Hi guys,&nbsp;<BR /><BR /><SPAN>I received an alert regarding <CODE data-start="209" data-end="233">cortex-xdr-payload.exe</CODE> accessing <CODE data-start="244" data-end="255">lsass.exe</CODE>. The full path is: below:&nbsp;</SPAN><SPAN>C:\ProgramData\Cyvera\LocalSystem\Download\protected_payload_execution\cortex-xdr-payload.exe<BR /><BR />From my research, the legitimate <CODE data-start="414" data-end="438">cortex-xdr-payload.exe</CODE> is used for offline triage collection, but I haven’t found any references to other related functionalities.<BR /><BR /></SPAN></P> <P class="" data-start="381" data-end="407">I would like to confirm:</P> <P class="" data-start="381" data-end="407">1. Is the file path valid?</P> <P class="" data-start="381" data-end="407">2. Is this a legitimate process for checking <CODE data-start="453" data-end="464">lsass.exe</CODE>?</P> <P class="" data-start="381" data-end="407"><SPAN>3. Is it possible to schedule this process? I noticed that the alert appears at the same time consistently.<BR /><BR /></SPAN></P> <P class="" data-start="608" data-end="643">Looking forward to your insights.</P> <P><SPAN>&nbsp;</SPAN></P> Sat, 05 Apr 2025 15:06:06 GMT ${userLoginName} 2025-04-05T15:06:06Z cortex-xdr-payload.exe access lsass.exe https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-payload-exe-access-lsass-exe/m-p/1225765#M2421 <P>Hi guys,&nbsp;<BR /><BR /><SPAN>I received an alert regarding <CODE data-start="209" data-end="233">cortex-xdr-payload.exe</CODE> accessing <CODE data-start="244" data-end="255">lsass.exe</CODE>. The full path is: below:&nbsp;</SPAN><SPAN>C:\ProgramData\Cyvera\LocalSystem\Download\protected_payload_execution\cortex-xdr-payload.exe<BR /><BR />From my research, the legitimate <CODE data-start="414" data-end="438">cortex-xdr-payload.exe</CODE> is used for offline triage collection, but I haven’t found any references to other related functionalities.<BR /><BR /></SPAN></P> <P class="" data-start="381" data-end="407">I would like to confirm:</P> <P class="" data-start="381" data-end="407">1. Is the file path valid?</P> <P class="" data-start="381" data-end="407">2. Is this a legitimate process for checking <CODE data-start="453" data-end="464">lsass.exe</CODE>?</P> <P class="" data-start="381" data-end="407"><SPAN>3. Is it possible to schedule this process? I noticed that the alert appears at the same time consistently.<BR /><BR /></SPAN></P> <P class="" data-start="608" data-end="643">Looking forward to your insights.</P> <P><SPAN>&nbsp;</SPAN></P> Sat, 05 Apr 2025 15:06:06 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-payload-exe-access-lsass-exe/m-p/1225765#M2421 ${userLoginName} 2025-04-05T15:06:06Z