This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

XdrAgentCleaner Execution Monitoring

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XdrAgentCleaner Execution Monitoring

KanwarSingh01
L3 Networker

‎03-10-2022 04:34 PM

Is anyone monitoring XdrAgentCleaner execution? And if so i have a question, lets say when we run the XdrAgentCleaner, before the agent cleans all the Cortex traces, does it sends the EDR telemetry to cloud so in case if XdrAgentCleaner is used maliciously it can be tracked by creating detection rules of some sort?

Kind Regards
KS
0 Likes Likes
10 REPLIES 10

bbarmanroy
L5 Sessionator

‎03-10-2022 10:40 PM

Hi @KanwarSingh01 as it is an uninstaller, it will cause the monitoring to stop immediately by killing running processes, and then remove the files/directories. You receive XDR Cleaner on-demand as a break-glass procedure, so its usage and distribution should be monitored.

 

0 Likes Likes

KanwarSingh01
L3 Networker
In response to bbarmanroy

‎03-27-2022 02:37 PM

How would you monitor? Will you be using XDR and create a BIOC detection rule? If this will be the approach then you would need data to be shipped for the alert to be fired on the XDR console, isnt it?

Kind Regards
KS
0 Likes Likes

bbarmanroy
L5 Sessionator
In response to KanwarSingh01

‎03-28-2022 01:28 AM

When I referred to as 'its usage and distribution should be monitored', I mean that your organization should have tight controls on who should have access to XDRCleaner. The usage of XDRCleaner is for removing Cortex XDR from the endpoints when the agent cannot be removed using the console (for reasons). The XDRCleaner agent should not be used as part of your standard operating procedures where end-users are expected to be in charge of removing endpoint security products. If this is the norm, please review this with your leadership to identify potential misuse and abuse cases, and the ramifications it might have on your organizational assets and IP.

 

KanwarSingh01
L3 Networker
In response to bbarmanroy

‎03-28-2022 02:24 PM

I think in some orgs the processes are not there to control who does what with a software. I think if PA can create a logic where before erasing traces of Cortex with XDR Cleaner it should be able to write to some place on system itself referencing XDR Cleaner was used OR send data to data lake for a XDR console from there a BIOC alert can be created to detect any malicious usage of XDR cleaner.

 

Threat actors do look for uninstall software for Security solution for defense evasion.

Kind Regards
KS
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks