BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

L1 Bithead

Cortex blocked driver PROCEXP152.SYS from being loaded (rule: sync.vulnerable_driver_by_original_name_loaded_procexp)
The thing it that this is a signed microsoft driver and it's kind of a known situation for many other vendors.

Links: Process Explorer - ProcExp152.sys Driver Flagged As Vulnerable - Microsoft Q&A , SentinelOne annoyance! : r/sysadmin (reddit.com)

 

Does anyone seen this in Cortex before? What it's the best thing to do?

Thanks

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Panagiss,

 

Cortex XDR is indicating that this is a vulnerable driver, not that it is not a legitimate driver (we're not disputing that it's signed by MS).  A common tactic used by attackers is to take advantage of highly trusted binaries which are vulnerable to abuse to perform actions like killing EDR tools.  There are many examples of executables which are vulnerable to misuse, including older versions of the process explorer binary.  To prevent misuse, Cortex XDR blocks loading of vulnerable versions of this executable by default.

 

If you want to allow this driver to be loaded in your environment, you can create a Disable Prevention Rule and (optionally) an Alert Exclusion to allow the driver to be loaded and suppress associated alerts from the console.  Keep in mind that this will create a risk for your organization as attackers could exploit this driver to kill Cortex XDR on the endpoint they have gained access to.

View solution in original post

1 REPLY 1

L4 Transporter

Hi Panagiss,

 

Cortex XDR is indicating that this is a vulnerable driver, not that it is not a legitimate driver (we're not disputing that it's signed by MS).  A common tactic used by attackers is to take advantage of highly trusted binaries which are vulnerable to abuse to perform actions like killing EDR tools.  There are many examples of executables which are vulnerable to misuse, including older versions of the process explorer binary.  To prevent misuse, Cortex XDR blocks loading of vulnerable versions of this executable by default.

 

If you want to allow this driver to be loaded in your environment, you can create a Disable Prevention Rule and (optionally) an Alert Exclusion to allow the driver to be loaded and suppress associated alerts from the console.  Keep in mind that this will create a risk for your organization as attackers could exploit this driver to kill Cortex XDR on the endpoint they have gained access to.

  • 1 accepted solution
  • 5684 Views
  • 1 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!