XdrAgentCleaner Execution Monitoring

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XdrAgentCleaner Execution Monitoring

L3 Networker

Is anyone monitoring XdrAgentCleaner execution? And if so i have a question, lets say when we run the XdrAgentCleaner, before the agent cleans all the Cortex traces, does it sends the EDR telemetry to cloud so in case if XdrAgentCleaner is used maliciously it can be tracked by creating detection rules of some sort?

Kind Regards
KS
10 REPLIES 10

L5 Sessionator

Hi @KanwarSingh01 as it is an uninstaller, it will cause the monitoring to stop immediately by killing running processes, and then remove the files/directories. You receive XDR Cleaner on-demand as a break-glass procedure, so its usage and distribution should be monitored.

 

How would you monitor? Will you be using XDR and create a BIOC detection rule? If this will be the approach then you would need data to be shipped for the alert to be fired on the XDR console, isnt it?

Kind Regards
KS

When I referred to as 'its usage and distribution should be monitored', I mean that your organization should have tight controls on who should have access to XDRCleaner. The usage of XDRCleaner is for removing Cortex XDR from the endpoints when the agent cannot be removed using the console (for reasons). The XDRCleaner agent should not be used as part of your standard operating procedures where end-users are expected to be in charge of removing endpoint security products. If this is the norm, please review this with your leadership to identify potential misuse and abuse cases, and the ramifications it might have on your organizational assets and IP.

 

I think in some orgs the processes are not there to control who does what with a software. I think if PA can create a logic where before erasing traces of Cortex with XDR Cleaner it should be able to write to some place on system itself referencing XDR Cleaner was used OR send data to data lake for a XDR console from there a BIOC alert can be created to detect any malicious usage of XDR cleaner.

 

Threat actors do look for uninstall software for Security solution for defense evasion.

Kind Regards
KS

L4 Transporter

Agree with @bbarmanroy, if you provide the agent cleaner to your users, it would be better to keep an eye on who has it and how are they using it.

As with any other security product, if users have access to uninstall them this should be monitored. Doesnt matter if it is a McAfee, Kaspersky, Windows Defender deactivation or even a FW might be shutdown or configuration changed if given access to do so.  

When uninstalling xdr, you will notice that the endpoint will appear as disconnected during some days and later it will completely dissapear. 

With any other antivirus you wont get any alert if a user dissapears otherwise you would have thousands of false possitives when a user shutdown computer or goes on holidays ... 

Something you might do depending on the license you have and if you have Broker VM deployed in your set up is to 

1- Activate the Network Mapper so you can scan your network to identify unmanaged hosts in your environment that will appear in the asset table. You need CXDR pro per EP or CXDR pro per TB license for this.

2- Activate pathfinder (same licenses as before): This will deploy a non-persistent data collector on unmanaged hosts (that is, where you dont have CXDR agents installed) so that whenever an Analytics medium or high severity alert is raised, this paathfinder collector will be triggered to collect EDR data from your unmanaged hosts

 

Broker VM, Network Mapper and Pathfinder are optional AND highly recommended to be deployed within your CXDR environment.

 

Have a good CXDR time and if this was helpful, please rate and thumbs up, like it

 

KR,

Luis 

L3 Networker

1. With any other antivirus you wont get any alert if a user dissapears otherwise you would have thousands of false possitives when a user shutdown computer or goes on holidays ... 

 

Maybe I'm misunderstanding but that's really not the case we get alerts when any part of windows is disabled shutdown or not, we just filter out those services when next to a shutdown event. Nor is any of this finger pointing productive. 

 

@KanwarSingh01 : You can setup a simple IOC to alert you when the XDR Clearer is utilized. The SHA and/or the filename can be used as each version is different depending on the agent. As soon as the cleaner is Dropped on the device's HD and executed this can be alerted on in the functional situation you are referencing. If the Agent is truly offline then you will not be able to monitor it's use without external tools like Sysmon / Windows Event logging. 

@KanwarSingh01Some malware modules are able to detect which AV solution you have running and are able to disable it, no need to run the Antivirus Uninstall. 

Checking just the execution of a hash (for the cleaner) is not either a solution. A botch job will give you a fake feeling of safety, since changing a hash is child's play about as easy as renaming a file. That is the reason why even we at xdr use hashes we do not totally rely on them, we do behavioral analytics and ML to spot the malicious.

Skilled attackers are not going to use known hashes or file names. That is why when having an AV just based on hash/signature wont protect you from real threats, but just from script kiddies and naive testers. 

The use of Network Mapper and Path Finder will help you in cases where an insider or external attacker might be able to disable Cortex, with the cleaner (remember we do also have anti-tampering to protect our xdr) 
A complementary tool might be implementing a NAC solution to monitor your endpoints so that when an endpoint do not comply with your policies , for example the AV or CXDR or any other security software is uninstalled/missing, the endpoint is isolated and reported. 

 

Hope this helps,
Luis 

 

L3 Networker

@eluis 

Your comment:
"A complementary tool might be implementing a NAC solution to monitor your endpoints so that when an endpoint do not comply with your policies , for example the AV or CXDR or any other security software is uninstalled/missing, the endpoint is isolated and reported. "

Is probably the requirement however we do not have one. In my mind i am guessing it will be a combination of some detection rules and analytical hunting of suspicious usage of XDR cleaner.

 

My scenario for asking this question is as below:

Valid Credential Compromise of an Admin > Access to IT tool kit > Execute XDR Cleaner > Boom!! (No AV and telemetry, domain compromise, no need to use a malware or anything just use same tool sets what Sysadmins use.)

Kind Regards
KS

"..That is the reason why even we at xdr use hashes we do not totally rely on them, we do behavioral analytics and ML to spot the malicious...."

 

And yet the number one solution on the Live community forms for tuning is to whitelist/blocks list by hash.... you can't have it both ways. It's either a solution or it isn't. 

Hi @KanwarSingh01 , 

about the NAC option was just as an additional monitoring option if you have it already on your budget or even deployed. 
As mentioned before, activating Network Mapper will spot the endpoints that dont have xdr installed. You can figure out  which endpoints are not protected, doesnt matter if it was a cleaner removal, a malware disabling it, a kind of process crash that migh be even not malicious ... and with the Pathfinder enabled you can even continue the monitoring of endpoints CXDR-less in case of medium or high alert on that endpoint not protected by xdr. 
Once you have noticed with Network Mapper which endpoints do not have xdr you can invetigate further the reason, agent cleaner, you'll find traces on it (reboot on safe mode), malware disabling it.... and if you have our CXDR forensic module enabled you could also investigate further what happended. Or more manually conducting a forensic investigation on that endpoint timeline on it ... 
KR,

Luis

  • 5256 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!