Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Incident question - svchost without signature?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Incident question - svchost without signature?

L4 Transporter

Hello dear community, 

 

you know how to handle this svchost.exe without signature? In my opinion it is FP, but why?

Isn't it possible for the cortex agent to read the signature from svchost.exe in this case?

 

 

RFeyertag_0-1659806957154.png

 

RFeyertag_3-1659807299644.png

I tweaked the alert and gave it medium severity and some more applications. 

 

BR

 

Rob

 

3 REPLIES 3

L3 Networker

Hi @RFeyertag,

 

It's a little odd that svchost.exe doesn't have a digital signature and I would like to ask you if you can run an XQL query against this endpoint and identify if the svchost.exe on that endpoint is indeed unsigned or not (please see the query below)?

 

dataset = xdr_data
| filter agent_hostname = "<endpoint_hostname>" and causality_actor_process_image_name="svchost.exe"
| fields causality_actor_process_image_name, actor_process_signature_vendor, actor_process_signature_status

 

Thanks,

Silviu

Silviu-Mihail Dascalu

Hello Silviu, 

 

yes, I get a few results. See screenshot below. I get these incidents on another computer too and on another pc with explorer.exe. 

In summary there are 3 incidents and I need to know, if this is a FP or not. 

 

RFeyertag_0-1659969799695.png

BR

 

Rob

L3 Networker

Hi @RFeyertag 

 

Please open a TAC case in order for this to be investigated properly as it seems there are some miss matches between the XQL results and the alert info. 

Silviu-Mihail Dascalu
  • 2091 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!