02-21-2022 05:31 PM
Hi,
There are recent articles on MS Teams security incident. Attackers attach usercentric.exe files to Teams chats to install a Trojan on the end-user's computer. This Trojan is then used to install malware that self-administers the computer.
Does Cortex XDR detect this?
Are there particular hashes to be blocked?
Link: https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations
02-21-2022 10:13 PM
Hi @PGP1234 The attack vector can be Teams, emails, or any other communication tool that is being used by a malicious actor to compromise an end-user. That is the first-stage dropper that is then used to gain persistence and/or perform malicious activities on the endpoint etc.
How Cortex XDR detects this: behaviorial analysis. XDR will monitor all running processes and look at the actions being performed (registry entries, network activities, disk activities etc.) Take a look at this document, which explains the capabilities of Cortex XDR in detail: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...
The payload can evolve over time, as can the second- or third-stage payloads. Blocking via hash is a tactical fix, and not to be confused with a strategic fix. The fix can be on multiple levels: firewalls, endpoints, permissions review, user awareness etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
