Solved

Paloalto XDR Cymulate Exceptions

  • 9 May 2022
  • 3 replies
  • 367 views

Badge

Hi,

We are trying to configure correctly cymulate exceptions on Paloalto Cortex xDR. ¿is there any recomendations about it? ¿someone with the same enviroment?

Thank you

icon

Best answer by arien_seghetti 9 May 2022, 11:47

View original

3 replies

Userlevel 1
Badge +3

Antonio

Hi,

We are trying to configure correctly cymulate exceptions on Paloalto Cortex xDR. ¿is there any recomendations about it? ¿someone with the same enviroment?

Thank you

Antonio the malware profiles you need to edit. You will add the file whitelisting in the below areas

In the malware profile you add the whitelist folder to the Portable Executable and DLL Examination, Office Files with Macros Examination,Behavioral Threat Protection

Badge

Hi,

We are checking if the system is working as expected after whitelisting. 

Cortex is showing these type of events, we are not sure if the exclusions are right or we are blocking cymulate process, is this usual behaviour?

 

Application Information:
Source process ID: 25672
Source process name: CymulateEDRScenarioExecutor.exe
Source application location: C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d\workingDir\CymulateEDRScenarioExecutor.exe
Source process command line: "C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d\workingDir\CymulateEDRScenarioExecutor.exe" SPOOLERHIJACK_nativeransomwareremotekeyOurAESoverwrite "C:\ProgramData\Cymulate\EDR_Attacks\627a71aaaad84f95f01d439d\3b18c41bcd4ccefb846de63404df1bbb_SPOOLERHIJACK_nativeransomwareremotekeyOurAESoverwrite.exe" .exe 627a71aaaad84f95f01d439d 3b18c41bcd4ccefb846de63404df1bbb "C:\ProgramData\Cymulate\Agent\AttacksLogs\EDR\627a71aaaad84f95f01d439d" "python"
Source application version: 1.0.0.0
Source application publisher: Cymulate Ltd
Source application signers: Cymulate Ltd
Source process user name: 


Prevention Information:
Prevention date: martes, 10 de mayo de 2022
Prevention time: 16:14:15
OS version: 10.0.19042
Component: Behavioral Threat Protection
Cortex XDR code: C0400067
Prevention description: Behavioral threat detected
Verdict: 0
Quarantined: False
Post-Detected: False
Rule name: malicious_image_load.13
Remote actor causality ID: AdhkeDoBkQAAAGRIAAAAAA==

Badge

We added this lines in the allow list in the he Portable Executable and DLL Examination, Office Files with Macros Examination,Behavioral Threat Protection:

C:\*\CymulateEDRScenarioExecutor.dll

C:\*\CymulateEDRScenarioExecutor.exe

C:\*\CymulateEDR.dll

C:\*\CymulateLM.exe

C:\*\HopperMaster.dll

C:\*\RedTeamExecutor.dll

C:\*\RedTeamExecutor.exe

C:\*\CymulateAgentInstaller.msi

C:\*\CymulateFileDecryptor.exe

C:\*\CymulateAgentUpdater.exe

C:\*\CymulateWatchDog.exe

C:\*\CymulateElevated.exe

C:\*\CymulateAgent.exe

Reply