Hi,
We are trying to configure correctly cymulate exceptions on Paloalto Cortex xDR. ¿is there any recomendations about it? ¿someone with the same enviroment?
Thank you
Best answer by arien_seghetti
View original
Antonio
Hi,
We are trying to configure correctly cymulate exceptions on Paloalto Cortex xDR. ¿is there any recomendations about it? ¿someone with the same enviroment?
Thank you
Antonio the malware profiles you need to edit. You will add the file whitelisting in the below areas
In the malware profile you add the whitelist folder to the Portable Executable and DLL Examination, Office Files with Macros Examination,Behavioral Threat Protection
Hi,
We are checking if the system is working as expected after whitelisting.
Cortex is showing these type of events, we are not sure if the exclusions are right or we are blocking cymulate process, is this usual behaviour?
Application Information:
Source process ID: 25672
Source process name: CymulateEDRScenarioExecutor.exe
Source application location: C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d\workingDir\CymulateEDRScenarioExecutor.exe
Source process command line: "C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d\workingDir\CymulateEDRScenarioExecutor.exe" SPOOLERHIJACK_nativeransomwareremotekeyOurAESoverwrite "C:\ProgramData\Cymulate\EDR_Attacks\627a71aaaad84f95f01d439d\3b18c41bcd4ccefb846de63404df1bbb_SPOOLERHIJACK_nativeransomwareremotekeyOurAESoverwrite.exe" .exe 627a71aaaad84f95f01d439d 3b18c41bcd4ccefb846de63404df1bbb "C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d" "python"
Source application version: 1.0.0.0
Source application publisher: Cymulate Ltd
Source application signers: Cymulate Ltd
Source process user name:
Prevention Information:
Prevention date: martes, 10 de mayo de 2022
Prevention time: 16:14:15
OS version: 10.0.19042
Component: Behavioral Threat Protection
Cortex XDR code: C0400067
Prevention description: Behavioral threat detected
Verdict: 0
Quarantined: False
Post-Detected: False
Rule name: malicious_image_load.13
Remote actor causality ID: AdhkeDoBkQAAAGRIAAAAAA==
We added this lines in the allow list in the he Portable Executable and DLL Examination, Office Files with Macros Examination,Behavioral Threat Protection:
C:\*\CymulateEDRScenarioExecutor.dll
C:\*\CymulateEDRScenarioExecutor.exe
C:\*\CymulateEDR.dll
C:\*\CymulateLM.exe
C:\*\HopperMaster.dll
C:\*\RedTeamExecutor.dll
C:\*\RedTeamExecutor.exe
C:\*\CymulateAgentInstaller.msi
C:\*\CymulateFileDecryptor.exe
C:\*\CymulateAgentUpdater.exe
C:\*\CymulateWatchDog.exe
C:\*\CymulateElevated.exe
C:\*\CymulateAgent.exe
Reply
Login to the community
No account yet? Create an account
Login
CUSTOMER / CYMULATE EMPLOYEE LOGINor
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.