Hi folks, We recently had a pen test and had positive results. We do not use URL filtering, but have everything else. However, on 12/24/2017 we can now see a reboot.txt file sitting in our Windows\temp directory on an Oracle OAM server. Luckly, Carbon Black flagged the file as it was trying to be run and denied, running from cmd.exe. We can also see a new Windows task scheduler task created on 1/2/2017 that calls to run schtask1.ps1, that we did not create. Also cannot find that file. Did a restore of the VM to 12/21/2017, no trace of these new files and settings. We continue to our threat alerts denying malicious traffic. Quick searches so far seem to indicate cryptocurrency mining. I see there are a couple of PA references out there for this. Curious if anyone has any comments as we continue our investigation or any of this rings a bell? I've been searching our traffic logs for cryptocurreny as mentioned here, but nothing so far. https://www.reddit.com/r/paloaltonetworks/comments/6n2781/how_can_i_detect_bitcoin_traffic_pan_7011_and/
... View more