high priority 'Behavioral Threat' alert for smss.exe (system)?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

high priority 'Behavioral Threat' alert for smss.exe (system)?

L2 Linker

Every few weeks or so getting a high priority alert:

'Behavioral Threat' generated by XDR Agent detected on host <some_WS2019_server> involving user system
Priority: High
Behavioral Threat
Source: XDR Agent

Behavioral threat detected (rule: sync.vulnerable_driver_by_original_name_loaded_procexp)

User name            SYSTEM
Action               Prevented (Blocked)
Category             Malware
File Macro SHA256    N/A

MITRE ATT&CK

Tactics

TA0004 - Privilege Escalation
TA0005 - Defense Evasion
TA0002 - Execution

Techniques

T1068 - Exploitation for Privilege Escalation
T1014 - Rootkit
T1211 - Exploitation for Defense Evasion
T1203 - Exploitation for Client Execution

Host

Platform         Windows | 10.0.17763
Hostname         ***
Host IP          ***
Host MAC Address ***
Host FQDN        ***


Process Execution

Initiator Details

Name (initiated by)    System
Path (initiator path)  System
CMD (initiator CMD)    N/A
PID (initiator PID)    4
TID (initiator TID)    N/A
Signature              Signature Unavailable
MD5                    N/A


Target Process

Name                   N/A
CMD                    N/A

Causality Group Owner Details

Name                   N/A
Path                   N/A
CMD                    N/A
Signature              Signature Unavailable
MD5                    N/A

OS Parent

Name                   N/A
CMD                    N/A
Username               N/A
PID                    N/A
TID                    N/A
Signature              Signature Unavailable

Under "artifacts" it'd say:

smss.exe
(fac9...1c28)
Microsoft Corporation
WF Benign
VT Unknown

kindzma_0-1728399273223.png

 

(I am new to Cortex XDR and generally to managed XDR - inherited the environment from a network admin who is no longer with the company - and now it's mostly in my hands.)

 

What are my next steps?

  • Checked the file itself - it's clean and matches the hash, timestamp, size with other WS2019 servers running the same workloads.
  • Checked event logs - do see some events (below) that may be relevant - but nothing that mentions smss.exe.
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/15/2023  11:08 AM         147720 smss.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          FAC9407ADDEE9DEB1D07CAE8F11E13CB5F4B99CFD87894A52747524C212E1C28       C:\Windows\System32\smss.exe

> (Get-Item -Path "C:\Windows\System32\smss.exe").VersionInfo.FileVersion
10.0.17763.1 (WinBuild.160101.0800)

 

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          10/8/2024 2:03:55 AM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          NETWORK SERVICE
Computer:      ***
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{F87B28F1-****-****-****-800EFCF26B83}
 and APPID 
{0868DC9B-****-****-****-133CEA201299}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          10/8/2024 2:04:58 AM
Event ID:      307
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      ***
Description:
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042
Log Name:      Microsoft-Windows-User Device Registration/Admin
Source:        Microsoft-Windows-User Device Registration
Date:          10/8/2024 2:04:58 AM
Event ID:      304
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      ***
Description:
Automatic registration failed at join phase. 
Exit code: Unknown HResult Error code: 0x801c001d 
Server error:  
Tenant type: undefined 
Registration type: undefined 
Debug Output: 
joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
2 REPLIES 2

L3 Networker

Hi @kindzma 

Thank you for reaching out to the Live Community!

I have reviewed the alert details submitted and the Alert encountered was a BTP Alert related to "sync.vulnerable_driver_by_original_name_loaded_procexp"

This BTP rule is meant for protecting our agent from a potential vulnerability, leveraged by "procexp.sys"' driver. When used maliciously, this driver's kernel functions might put our agent at risk. Therefore when the driver is being loaded (by any application) the agent will prevent it from loading but will allow executing the application itself (will not kill the source process). This driver is commonly associated with applications such as "Process Explorer" (procexp.exe). Procexp.sys is loaded when the above applications are running with administrative privileges.

I suggest referring to this article for more details and the solution - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZDSCA2

I hope this helps,  Please click Accept as Solution to acknowledge If this answer added value to your question.

Regards,

Thanks! Can't seem to access the article:

 


We can't log you in because of an issue with single sign-on. Contact your Salesforce admin for help.

  • Does the article explain if the alert indicates malicious, or at least highly unusual behavior? (As its high priority would suggest?)
  • Would you mind posting key takeaways from the article, i.e. what the next steps should be when getting such an alert?
    • (Including how to prevent these incidents going forward)

Thanks!

  • 674 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!