XdrAgentCleaner Execution Monitoring

KanwarSingh01 · ‎03-10-2022

Is anyone monitoring XdrAgentCleaner execution? And if so i have a question, lets say when we run the XdrAgentCleaner, before the agent cleans all the Cortex traces, does it sends the EDR telemetry to cloud so in case if XdrAgentCleaner is used maliciously it can be tracked by creating detection rules of some sort?

Kind Regards
KS

bbarmanroy · ‎03-10-2022

Hi @KanwarSingh01 as it is an uninstaller, it will cause the monitoring to stop immediately by killing running processes, and then remove the files/directories. You receive XDR Cleaner on-demand as a break-glass procedure, so its usage and distribution should be monitored.

KanwarSingh01 · ‎03-27-2022

How would you monitor? Will you be using XDR and create a BIOC detection rule? If this will be the approach then you would need data to be shipped for the alert to be fired on the XDR console, isnt it?

Kind Regards
KS

bbarmanroy · ‎03-28-2022

When I referred to as 'its usage and distribution should be monitored', I mean that your organization should have tight controls on who should have access to XDRCleaner. The usage of XDRCleaner is for removing Cortex XDR from the endpoints when the agent cannot be removed using the console (for reasons). The XDRCleaner agent should not be used as part of your standard operating procedures where end-users are expected to be in charge of removing endpoint security products. If this is the norm, please review this with your leadership to identify potential misuse and abuse cases, and the ramifications it might have on your organizational assets and IP.

KanwarSingh01 · ‎03-28-2022

I think in some orgs the processes are not there to control who does what with a software. I think if PA can create a logic where before erasing traces of Cortex with XDR Cleaner it should be able to write to some place on system itself referencing XDR Cleaner was used OR send data to data lake for a XDR console from there a BIOC alert can be created to detect any malicious usage of XDR cleaner.

Threat actors do look for uninstall software for Security solution for defense evasion.

Kind Regards
KS

eluis · ‎03-29-2022

Agree with @bbarmanroy, if you provide the agent cleaner to your users, it would be better to keep an eye on who has it and how are they using it.

As with any other security product, if users have access to uninstall them this should be monitored. Doesnt matter if it is a McAfee, Kaspersky, Windows Defender deactivation or even a FW might be shutdown or configuration changed if given access to do so.

When uninstalling xdr, you will notice that the endpoint will appear as disconnected during some days and later it will completely dissapear.

With any other antivirus you wont get any alert if a user dissapears otherwise you would have thousands of false possitives when a user shutdown computer or goes on holidays ...

Something you might do depending on the license you have and if you have Broker VM deployed in your set up is to

1- Activate the Network Mapper so you can scan your network to identify unmanaged hosts in your environment that will appear in the asset table. You need CXDR pro per EP or CXDR pro per TB license for this.

2- Activate pathfinder (same licenses as before): This will deploy a non-persistent data collector on unmanaged hosts (that is, where you dont have CXDR agents installed) so that whenever an Analytics medium or high severity alert is raised, this paathfinder collector will be triggered to collect EDR data from your unmanaged hosts

Broker VM, Network Mapper and Pathfinder are optional AND highly recommended to be deployed within your CXDR environment.

Have a good CXDR time and if this was helpful, please rate and thumbs up, like it

KR,

Luis

${userLoginName} · ‎03-29-2022

1. With any other antivirus you wont get any alert if a user dissapears otherwise you would have thousands of false possitives when a user shutdown computer or goes on holidays ...

Maybe I'm misunderstanding but that's really not the case we get alerts when any part of windows is disabled shutdown or not, we just filter out those services when next to a shutdown event. Nor is any of this finger pointing productive.

@KanwarSingh01 : You can setup a simple IOC to alert you when the XDR Clearer is utilized. The SHA and/or the filename can be used as each version is different depending on the agent. As soon as the cleaner is Dropped on the device's HD and executed this can be alerted on in the functional situation you are referencing. If the Agent is truly offline then you will not be able to monitor it's use without external tools like Sysmon / Windows Event logging.

eluis · ‎03-29-2022

@KanwarSingh01Some malware modules are able to detect which AV solution you have running and are able to disable it, no need to run the Antivirus Uninstall.

Checking just the execution of a hash (for the cleaner) is not either a solution. A botch job will give you a fake feeling of safety, since changing a hash is child's play about as easy as renaming a file. That is the reason why even we at xdr use hashes we do not totally rely on them, we do behavioral analytics and ML to spot the malicious.

Skilled attackers are not going to use known hashes or file names. That is why when having an AV just based on hash/signature wont protect you from real threats, but just from script kiddies and naive testers.

The use of Network Mapper and Path Finder will help you in cases where an insider or external attacker might be able to disable Cortex, with the cleaner (remember we do also have anti-tampering to protect our xdr)
A complementary tool might be implementing a NAC solution to monitor your endpoints so that when an endpoint do not comply with your policies , for example the AV or CXDR or any other security software is uninstalled/missing, the endpoint is isolated and reported.

Hope this helps,
Luis

KanwarSingh01 · ‎03-29-2022

@eluis

Your comment:
"A complementary tool might be implementing a NAC solution to monitor your endpoints so that when an endpoint do not comply with your policies , for example the AV or CXDR or any other security software is uninstalled/missing, the endpoint is isolated and reported. "

Is probably the requirement however we do not have one. In my mind i am guessing it will be a combination of some detection rules and analytical hunting of suspicious usage of XDR cleaner.

My scenario for asking this question is as below:

Valid Credential Compromise of an Admin > Access to IT tool kit > Execute XDR Cleaner > Boom!! (No AV and telemetry, domain compromise, no need to use a malware or anything just use same tool sets what Sysadmins use.)

Kind Regards
KS

${userLoginName} · ‎03-29-2022

"..That is the reason why even we at xdr use hashes we do not totally rely on them, we do behavioral analytics and ML to spot the malicious...."

And yet the number one solution on the Live community forms for tuning is to whitelist/blocks list by hash.... you can't have it both ways. It's either a solution or it isn't.

eluis · ‎03-30-2022

Hi @KanwarSingh01 ,

about the NAC option was just as an additional monitoring option if you have it already on your budget or even deployed.
As mentioned before, activating Network Mapper will spot the endpoints that dont have xdr installed. You can figure out which endpoints are not protected, doesnt matter if it was a cleaner removal, a malware disabling it, a kind of process crash that migh be even not malicious ... and with the Pathfinder enabled you can even continue the monitoring of endpoints CXDR-less in case of medium or high alert on that endpoint not protected by xdr.
Once you have noticed with Network Mapper which endpoints do not have xdr you can invetigate further the reason, agent cleaner, you'll find traces on it (reboot on safe mode), malware disabling it.... and if you have our CXDR forensic module enabled you could also investigate further what happended. Or more manually conducting a forensic investigation on that endpoint timeline on it ...
KR,

Luis

XdrAgentCleaner Execution Monitoring