Researcher for evading Cortex XDR & my PoC XP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Researcher for evading Cortex XDR & my PoC XP

L3 Networker

Dear Community, 

 

Here I have found a researcher which evaded Cortex XDR protection.

 https://0xsp.com/security%20research%20&%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-...

Are there any connections to researcher like the one in the link above to penetrate cortex xdr? 

What can you say to the evasion technic frohe the researcher above? Will or is this allready fixed?   

 

From my PoC expirience we had 2 issues: 

1. Incident triggered for some files on the disk, which still existed on the disk. I deleted them manualy. After this I tried to quarantaine or delete them through Cortex APP leaded into a BSOD on Win10.

2. We had installed the Agent on a terminal Server. Used an Java based program for several users which was missconfigured without any RAM restriction on the jvm (now on 512m). So the system went sometimes in struggle of free virtual RAM. In this Situation the agent was disabled by missing Ressourcen. 

We struggled about 3 days, because Real RAM was enough, but jvm used the virtual RAM setting and this wasnt adjusted for non restricted jvm RAM setting. 

 

Best regards 

 

Rob

       

 

 

1 accepted solution

Accepted Solutions

It was around Version 7.4.2.3569. 

We are out of PoC. So we cannot open any support case. 

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi @Cyber1985 From the article, it appears that the bypass attempts were blocked, or am I reading it incorrectly?

 

For your endpoint issues,
for #1, are you able to reproduce the issue or is it a one-time incident? Does the BSOD happen every time you try to quarantine or delete a file?
for #2, it is not clear from your explanation if the issue is related to Cortex XDR agent or the Java-based application. It might be an issue with the JVM's on the hosts and not Cortex XDR. If your issue persists, please create a support ticket at support.paloaltonetworls.com with agent logs for the corresponding teams to analyse the issues.

 

Hope this helps!

Hey @bbarmanroy 

Thanks for the fast reply! 

 

As I understood the final showdown can bee seen in the last Video and the Text above. 

#1 could be reproduced, but our PoC is over and there wasnt enough time to submit a Ticket. 

 

#2 You are right, the issue came from jvm. I Dont except a solution, i wanted to share my XP. 

 

Best Regards

 

Rob 

 

Hi @Cyber1985 What I see in the last gif is the Cobalt Strike beacon being detected and a Cortex XDR agent popup that says "Cortex XDR agent has blocked a malicious activity!", which contradicts the text. It's a bit unclear here.

 

Cortex XDR engineering teams continuously looks for evasion techniques and bakes appropriate detection and/or prevention techniques to mitigate such actions. My recommendation is to try to recreate the POC and if successful, reach out to your account teams who will guide you through the next steps.

hello! 

The correction of the above mentioned evation technique was allredy fixed I was told by the researcher himself. 

For issue#1: yes, everytime I tried to delete or quarantined a not existing file I got an BSOD. 

Issue#2: yes indeed, the root of the problem was caused by not well configured JVMs.

 

Best Regards 

 

Rob

 

   

Hi @Cyber1985 Thank you for reaching out and confirming the point on XDR capabilities.

 

For your case where the endpoint is experiencing a BSOD for triggering a File Search and Destroy for files that are deleted or quarantined, I recommend you to open a support ticket and upload the support file for the affected endpoint. Please ensure your endpoint is running a supported version of Cortex XDR and has not reached End-of-life.

L3 Networker

what agent version and what content version was this performed with?

It was around Version 7.4.2.3569. 

We are out of PoC. So we cannot open any support case. 

  • 1 accepted solution
  • 3978 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!