Incident #1042 - XDR Test Manager

HIGH 'Protection Against Security Measures Bypass Techniques - 1952317967' along with 5 other issues

RESOLVED DUPLICATE INCIDENT ID: #1042 | Created: 2026-01-08 16:10:23

Alerts

Hosts

Files

Network

Incident Overview

'Protection Against Security Measures Bypass Techniques - 1952317967' along with 5 other issues generated by XDR Agent detected on host book-r0be6s1nc3 involving 2 users

Alert Count 6

Modified 2026-01-08 16:20

Assigned To Unassigned

Sources XDR Agent

Alert Categories

Malware

Affected Hosts & Users

Hosts (1)

Users (2)

book-r0be6s1nc3\ubuntu ubuntu

MITRE ATT&CK Mapping

Tactics (2)

TA0005 - Defense Evasion TA0002 - Execution

Techniques (3)

T1059 - Command and Scripting Interpreter T1562.001 - Impair Defenses: Disable or Modify Tools T1059.001 - Command and Scripting Interpreter: PowerShell

Related Alerts 6

ID	Severity	Name	Host	Action	Time
17775	HIGH	Protection Against Security Measures Bypass Techniques - 1952317967	BOOK-R0BE6S1NC3	Detected (Reported)	01-08 16:17
17773	HIGH	Protection Against Security Measures Bypass Techniques - 1952317967	BOOK-R0BE6S1NC3	Detected (Reported)	01-08 16:17
17772	HIGH	Protection Against Security Measures Bypass Techniques - 1903466637	BOOK-R0BE6S1NC3	Prevented (Blocked)	01-08 16:17
17774	HIGH	Protection Against Security Measures Bypass Techniques - 1952317967	BOOK-R0BE6S1NC3	Prevented (Blocked)	01-08 16:17
17768	MEDIUM	WildFire Malware	BOOK-R0BE6S1NC3	Prevented (Blocked)	01-08 16:09
17767	MEDIUM	WildFire Malware	BOOK-R0BE6S1NC3	Prevented (Blocked)	01-08 16:09

File Artifacts 11

File Name	Path	SHA256	Signature	Verdict	Actions
UltimateXdrGenerator.exe	-	`33d9c0b243d9d1e96684c1dc903a3006f6f5298c545f3d427d2c3a0d85f9cc0e`	SIGNATURE_UNSIGNED	UNKNOWN	VT
MegaGenerator.exe	-	`80bdce7d95e191491cc32247e3ee1accfd38d46b9de62127e591a0f2ff0b60d1`	SIGNATURE_UNSIGNED	UNKNOWN	VT
cmd.exe	-	`64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4`	SIGNATURE_SIGNED	UNKNOWN	VT
powershell.exe	-	`0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46`	SIGNATURE_SIGNED	UNKNOWN	VT
python.exe	-	`7d96a4ed35d6e596cd9dd8933feafc66349cc21f75be3b15c89fd336e50140c1`	SIGNATURE_SIGNED	UNKNOWN	VT
python.exe	-	`d70fced7f461f38f9f224d8673fb74e96e4facb4283ff4e8697543b457fea8a0`	SIGNATURE_SIGNED	UNKNOWN	VT
conhost.exe	-	`6651a3beb0df1e66363a950c37dc9305f185d161fb03761e172ccfa0a4ab4f89`	SIGNATURE_SIGNED	UNKNOWN	VT
timeout.exe	-	`106490870753d87d0c5a1b4fe83045a06518d415ec595bd1d0c30fe3ed4149c1`	SIGNATURE_SIGNED	UNKNOWN	VT
wscript.exe	-	`5919e37adbf233d1aadf793959eeeb7d1eba073b23b3572016564b407f0ad93f`	SIGNATURE_SIGNED	UNKNOWN	VT
wermgr.exe	-	`c142d90a7a76a449ac0ffad77b4e87d0d44cbf7fb6975f57dbab1eb616157a6e`	SIGNATURE_SIGNED	UNKNOWN	VT
chcp.com	-	`8d75e783f327f899a42927fc2927f0e3d1ec62c4ca1dc88de04dd67de9ae555d`	SIGNATURE_SIGNED	UNKNOWN	VT

Network Artifacts 0

No network artifacts found for this incident

Process Artifacts 6

Process	Command Line	Parent Process	User
wscript.exe	`"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once`	wscript.exe	ubuntu
wscript.exe	`"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once`	wscript.exe	ubuntu
wscript.exe	`"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once`	wscript.exe	ubuntu
wscript.exe	`"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once`	wscript.exe	ubuntu
MegaGenerator.exe	`"C:\app\cortex-xdr-siem-test\xdr_tools\MegaGenerator\bin\publish\MegaGenerator.e...`	cmd.exe	BOOK-R0BE6S1NC3\ubuntu
UltimateXdrGenerator.exe	`"C:\app\cortex-xdr-siem-test\xdr_tools\UltimateXdrGenerator\bin\publish\Ultimate...`	cmd.exe	BOOK-R0BE6S1NC3\ubuntu

Registry Artifacts 0

No registry artifacts found for this incident

Analyst Verdict

Classification

Risk Level

HIGH

Recommended Actions

Isolate affected endpoints
Investigate all related alerts
Document findings

Summary

Alerts

Hosts

Files

Network

Alert Categories

Malware

Timeline

01-08 16:20:04

Incident Modified

Status or details updated

01-08 16:20:04

Incident Resolved

resolved duplicate incident

01-08 16:17:08

Protection Against Security Measures Bypass Techniques - 1952317967

high - Detected (Reported)

01-08 16:17:08

Protection Against Security Measures Bypass Techniques - 1952317967

high - Detected (Reported)

01-08 16:17:07

Protection Against Security Measures Bypass Techniques - 1903466637

high - Prevented (Blocked)

01-08 16:17:06

Protection Against Security Measures Bypass Techniques - 1952317967

high - Prevented (Blocked)

01-08 16:10:23

Incident Created

#1042 - 'Protection Against Security Measures Bypass Techniques - 1952317967' along with 5 other issues

01-08 16:10:23

UltimateXdrGenerator.exe

Verdict: Unknown

01-08 16:10:23

MegaGenerator.exe

Verdict: Unknown

01-08 16:10:23

cmd.exe

Verdict: Unknown

01-08 16:10:23

powershell.exe

Verdict: Unknown

01-08 16:10:23

python.exe

Verdict: Unknown

01-08 16:10:23

python.exe

Verdict: Unknown

01-08 16:10:23

conhost.exe

Verdict: Unknown

01-08 16:10:23

timeout.exe

Verdict: Unknown

01-08 16:10:23

wscript.exe

Verdict: Unknown

01-08 16:10:23

wermgr.exe

Verdict: Unknown

01-08 16:09:02

WildFire Malware

medium - Prevented (Blocked)

01-08 16:09:01

WildFire Malware

medium - Prevented (Blocked)