cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L3 Networker

@SGarringer What cortex licenses version are you using? Seems Prevent.

 

Can you take a look at the prevention folder in c:\ProgramData\Cyvera\Prevention Folders and look into the prevention alert which is generated around that time, this will give a little bit of more information for your investigation around the alert.

 

According to me this alert triggers when you have a hash of a process which is similar to wscript.exe, cscript.exe, cmd.exe or powershell.exe (scripting engine process) but the "process name" is not a scripting engine process but has a same hash value. When triggered by a suspicious parent process as setup in PA Cortex defined rule set.

 

hash of cmd.exe == hash of blahh.exe (Trigger Rule.) if the parent is x, y or z.exe (Something like this.)

List of scripting engine:

https://attack.mitre.org/techniques/T1059

 

You will come to know more about the story when you take a look at the prevention alert data in the folder which i have mentioned.

Kind Regards
KS

View solution in original post

Who rated this post