Usercentric.Exe on MS Teams

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Usercentric.Exe on MS Teams

L0 Member

Hi,

 

There are recent articles on MS Teams security incident. Attackers attach usercentric.exe files to Teams chats to install a Trojan on the end-user's computer. This Trojan is then used to install malware that self-administers the computer.

 

Does Cortex XDR detect this?

  • If yes, how? If not, what are the other mitigations we can do?

Are there particular hashes to be blocked?

 

Link: https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations

Paul Paglinawan
1 REPLY 1

L5 Sessionator

Hi @PGP1234 The attack vector can be Teams, emails, or any other communication tool that is being used by a malicious actor to compromise an end-user. That is the first-stage dropper that is then used to gain persistence and/or perform malicious activities on the endpoint etc. 

 

How Cortex XDR detects this: behaviorial analysis. XDR will monitor all running processes and look at the actions being performed (registry entries, network activities, disk activities etc.) Take a look at this document, which explains the capabilities of Cortex XDR in detail: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...

 

The payload can evolve over time, as can the second- or third-stage payloads. Blocking via hash is a tactical fix, and not to be confused with a strategic fix. The fix can be on multiple levels: firewalls, endpoints, permissions review, user awareness etc.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!