ossec-agent.exe and Palo Alto Behavioral Threat Incident
185 views
Skip to first unread message
Lee Seeman
Oct 16, 2020, 9:54:32 AM10/16/20
to Wazuh mailing list
Palo Alto Cortex XDR is detecting and blocking 'ossec-agent.exe' and its chain of processes as a Behavioral Threat for the following MITRE AT&CK techniques:
- T1555 - Credentials from Password Stores
- OS Credential Dumping: Security Account Manager
- T1555 - Credentials from Password Stores
Unfortunately Cortex still blocks and alerts even if path is added to allow list or signer is added in behavioral threat analysis profile. This is due to its hitting rule-sets; Palo Alto engineering is analyzing and add a support exception...
My question is, can someone confirm this is a result of the Wazuh Vulnerability Detection module being enabled?
Lee Seeman
Oct 16, 2020, 10:13:39 AM10/16/20
to Wazuh mailing list
Lee Seeman
Oct 16, 2020, 10:15:10 AM10/16/20
to Wazuh mailing list
Key Artifacts that were in the process chain:
net.exe
cmd.exe
net1.exe
conhost.exe
On Friday, October 16, 2020 at 9:54:32 AM UTC-4 Lee Seeman wrote:
Lee Seeman
Oct 21, 2020, 11:13:52 AM10/21/20
to Wazuh mailing list
This is a false-positive Mimikatz Behavioral Threat incident with PAN Cortex XDR. PAN support engineering is working on a content update for it and exclusion.
Reply all
Reply to author
Forward
0 new messages