03-10-2022 04:34 PM
Is anyone monitoring XdrAgentCleaner execution? And if so i have a question, lets say when we run the XdrAgentCleaner, before the agent cleans all the Cortex traces, does it sends the EDR telemetry to cloud so in case if XdrAgentCleaner is used maliciously it can be tracked by creating detection rules of some sort?
03-10-2022 10:40 PM
Hi @KanwarSingh01 as it is an uninstaller, it will cause the monitoring to stop immediately by killing running processes, and then remove the files/directories. You receive XDR Cleaner on-demand as a break-glass procedure, so its usage and distribution should be monitored.
03-27-2022 02:37 PM
How would you monitor? Will you be using XDR and create a BIOC detection rule? If this will be the approach then you would need data to be shipped for the alert to be fired on the XDR console, isnt it?
03-28-2022 01:28 AM
When I referred to as 'its usage and distribution should be monitored', I mean that your organization should have tight controls on who should have access to XDRCleaner. The usage of XDRCleaner is for removing Cortex XDR from the endpoints when the agent cannot be removed using the console (for reasons). The XDRCleaner agent should not be used as part of your standard operating procedures where end-users are expected to be in charge of removing endpoint security products. If this is the norm, please review this with your leadership to identify potential misuse and abuse cases, and the ramifications it might have on your organizational assets and IP.
03-28-2022 02:24 PM
I think in some orgs the processes are not there to control who does what with a software. I think if PA can create a logic where before erasing traces of Cortex with XDR Cleaner it should be able to write to some place on system itself referencing XDR Cleaner was used OR send data to data lake for a XDR console from there a BIOC alert can be created to detect any malicious usage of XDR cleaner.
Threat actors do look for uninstall software for Security solution for defense evasion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!