- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-23-2023 07:28 PM
From few days getting the alerts under the "Masquerading" alert name. when we analyzed we observed there is a .exe file creation in the sysmon folder with the long string "C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe"
Initiator CMD:
08-29-2023 07:01 AM
Hello,
Can you please help us with the hash value of "C:\Sysmon\2BE609177094318EA49602B566942D95E6C81494161F8EC8A3AA6AE26FFCDD14F8F552F6EE998A9733C34F4AAF428DB9DB744FA7C1249F6E2874F1E2C4F621938B8269F64342DC2DF708853CEE37820C03BB3E66.exe"
What makes you think this is a XDR Application? Can you please check the App details and see if this app is signed by Palo Alto Networks?
10-12-2023 02:47 AM
Hi @aspatil
Hash of the File : ee998a9733c34f4aaf428db9db744fa7c1249f6e2874f1e2c4f621938b8269f6
Microsoft Signed "msiexec.exe" process
I'm not saying it is signed by cortex.
My question is
Why the Microsoft signed EXE's are getting renamed and getting saved in "C:\Sysmon\" folder ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!