This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About KanwarSingh01
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About KanwarSingh01
12-14-2022
57Posts
29Likes
3Solutions
Dec 14, 2022Last Visited
User
Activity
User
Profile
Latest posts by KanwarSingh01
| Subject | Views | Posted |
|---|---|---|
| 733 | 09-18-2022 07:10 PM | |
| 1501 | 09-15-2022 09:29 PM | |
| 792 | 09-15-2022 08:46 PM | |
Re: agent cortex xdr vulnerability | 94 | 06-26-2022 11:29 PM |
| 1330 | 06-11-2022 03:02 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-15-2022 09:29 PM | |
| 1 Like | 05-19-2022 02:15 AM | |
| 2 Likes | 05-20-2022 03:40 AM | |
| 2 Likes | 03-27-2022 03:15 PM | |
| 2 Likes | 04-26-2022 11:25 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 7 Likes | |||
| 11 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 2 Likes |
User Badges
Community Statistics
| Member Since | 11-23-2020 03:59 PM |
| Date Last Visited | 12-14-2022 01:15 AM |
| Posts | 57 |
| Total Likes Received | 29 |
09-18-2022
07:10 PM
Hi @RFeyertag I would probably create BIOC rules with multiple logic:
Low Severity: Create a BIOC rule for srtings64.exe containing *.dmp in its command line. (Even though the article mentions that you could do an offline strings dump etc, Why? Obviously if done on the box it will create more telemetry and more telemetry creates more detection opportunities)
Informational Severity: Create a BIOC rule where I would monitor for a process command line containing a *.dmp in its CLI. (Produces quite a bit noise)
Medium Severity: Create a BIOC rule where an unsigned image created a *.dmp file (Please consider the noise in the environment before creation.)
Medium Severity: Create a BIOC rule where tool name such as procdump*.exe or dumpit.exe i.e. common process dump utilities are used.
Medium Severity: Create a BIOC rule where an image signer includes Microsoft* as a key word but the image name is not a known Microsoft Utility.
Medium Severity: rundll32.exe executing comsvc.dll
Before doing above baseline first:
config case_sensitive = false
| dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW,ENUM.FILE_WRITE)
| filter actor_process_image_name != null
| filter actor_process_image_name not in ("werfault.exe","System") and action_file_name = "*.dmp"
| fields _time as Time_Stamp, agent_hostname as Host, agent_ip_addresses as IP_Addr, action_file_name as Dump_Filename, actor_process_image_name as Process
Thanks
Kanwar
... View more
09-15-2022
09:29 PM
1 Kudo
@mfakhouri Great write up. Really appreciate the time you have spent on this.
Regards
Kanwar
... View more
09-15-2022
08:46 PM
Hi,
Is it possible to acquire memory using Cortex XDR for digital forensics? We are not looking for process dump but a complete memory dump of the system which we can further use with tool like volatility or something.
Thanks in advance.
Regards
Kanwar
... View more
06-26-2022
11:29 PM
@Freddieozment There are multiple ways to check what you are looking for. 1. Via XQL 2. Dashboard and select for Agent Management Dashboard 3. See screenshot below: Thank You.
... View more
06-11-2022
03:02 PM
Agree with @PeteJacobCF we should be able to target more specific version i.e. specific minor version with agent auto-upgrade as well. Hope this feature is introduced soon.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-14-2022
01:15 AM
|
Likes Given To
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks