XdrAgentCleaner Execution Monitoring

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XdrAgentCleaner Execution Monitoring

L3 Networker

Is anyone monitoring XdrAgentCleaner execution? And if so i have a question, lets say when we run the XdrAgentCleaner, before the agent cleans all the Cortex traces, does it sends the EDR telemetry to cloud so in case if XdrAgentCleaner is used maliciously it can be tracked by creating detection rules of some sort?

Kind Regards
KS
10 REPLIES 10

L5 Sessionator

Hi @KanwarSingh01 as it is an uninstaller, it will cause the monitoring to stop immediately by killing running processes, and then remove the files/directories. You receive XDR Cleaner on-demand as a break-glass procedure, so its usage and distribution should be monitored.

 

How would you monitor? Will you be using XDR and create a BIOC detection rule? If this will be the approach then you would need data to be shipped for the alert to be fired on the XDR console, isnt it?

Kind Regards
KS

When I referred to as 'its usage and distribution should be monitored', I mean that your organization should have tight controls on who should have access to XDRCleaner. The usage of XDRCleaner is for removing Cortex XDR from the endpoints when the agent cannot be removed using the console (for reasons). The XDRCleaner agent should not be used as part of your standard operating procedures where end-users are expected to be in charge of removing endpoint security products. If this is the norm, please review this with your leadership to identify potential misuse and abuse cases, and the ramifications it might have on your organizational assets and IP.

 

I think in some orgs the processes are not there to control who does what with a software. I think if PA can create a logic where before erasing traces of Cortex with XDR Cleaner it should be able to write to some place on system itself referencing XDR Cleaner was used OR send data to data lake for a XDR console from there a BIOC alert can be created to detect any malicious usage of XDR cleaner.

 

Threat actors do look for uninstall software for Security solution for defense evasion.

Kind Regards
KS
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!