- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-23-2022 06:08 PM
@SGarringer What cortex licenses version are you using? Seems Prevent.
Can you take a look at the prevention folder in c:\ProgramData\Cyvera\Prevention Folders and look into the prevention alert which is generated around that time, this will give a little bit of more information for your investigation around the alert.
According to me this alert triggers when you have a hash of a process which is similar to wscript.exe, cscript.exe, cmd.exe or powershell.exe (scripting engine process) but the "process name" is not a scripting engine process but has a same hash value. When triggered by a suspicious parent process as setup in PA Cortex defined rule set.
hash of cmd.exe == hash of blahh.exe (Trigger Rule.) if the parent is x, y or z.exe (Something like this.)
List of scripting engine:
https://attack.mitre.org/techniques/T1059
You will come to know more about the story when you take a look at the prevention alert data in the folder which i have mentioned.