Set up exploit prevention profiles - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-11
Category
Administrator Guide
Abstract

Exploit prevention profiles control the action that the Cortex XDR agent takes when attempts to exploit software vulnerabilities or flaws occur.

Exploit prevention profiles block attempts to exploit system flaws in browsers, and in the operating system. For example, exploit prevention profiles help protect against exploit kits, illegal code execution, and other attempts to exploit process and system vulnerabilities.

You can configure the action that the Cortex XDR agent takes when attempts to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit protection capabilities in each exploit prevention profile. Default settings are shown in parentheses. To fine-tune your exploitprevention policy, you can override the configuration of each capability to block the malicious exploit, allow but report it, or disable the module.

To view which processes are protected by each capability, see Processes Protected by Exploit Security Policy.

For each setting that you override, clear the corresponding option to Use Default, and select the setting of your choice.

Note

In this profile, the Report options configure the endpoints to report the corresponding exploit attempts to Cortex XSIAM, without blocking them. The Disabled options configure the endpoints to neither analyze nor report the corresponding malware or behavior.

The tasks below are organized according to the operating systems used by your organization's endpoints.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Windows platform, and Exploit as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Browser Exploits Protection, to protect endpoints from malicious or compromised websites.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to exploit browser processes for malicious purposes, it performs the configured action.

  3. Configure Logical Exploits Protection to prevent execution of malicious code using common operating system mechanisms.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to execute malicious code using operating system mechanisms, it performs the configured action.

    Block List DLLs

    The block list blocks the specified DLLs when they are run by a protected process, using the DLL Hijacking module.

    1. Click +Add to configure entries in your Block List.

    2. Enter the name of the process that you want to block.

    3. Enter the associated DLL name.

      The DLL folder or file must include the complete path. To complete the path, you can use environment variables or the asterisk (*) as a wildcard to match any string of characters (for example, */windows32/).

  4. Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.

    Java Deserialization Protection

    • Enabled

    • Disabled

    When enabled, the same action mode defined for the Known Vulnerable Process Protection is inherited here.

  5. Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.

  6. Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.

    Note

    In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:

    • Brute Force Protection

    • Java Deserialization

    • ROP

    • SO Hijacking

    Processes

    If you want to add exploit protection for one or more additional third-party processes, add them here.

    1. Click +Add to configure entries in your Processes list.

    2. Enter the file name of the process that you want to block, and press ENTER.

    3. For additional processes, repeat the previous steps.

  7. Configure Unpatched Vulnerabilities Protection to provide a temporary workaround for protecting unpatched endpoints from known vulnerabilities.

    Note

    This step provides a temporary workaround for the following publicly known information-security vulnerabilities and exposures: CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094.

    If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known vulnerability. It takes the Cortex XDR agent up to 6 hours to enforce your configured policy on the endpoints.

    Note

    If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, we strongly recommend that you upgrade to the latest Windows Update that has a fix for that vulnerability.

    Item

    Options

    More details

    Modify IPv4 and IPv6 Settings

    • Do not modify system settings

    • Modify settings until the endpoint is patched

    • Revert system settings to your previous settings

    To address known vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, you can Modify IPv4 and IPv6 settings as follows:

    • Do not modify system settings (default): Do not modify the IPv4 and IPv6 settings currently set on the endpoint, whether the current values are your original values or values that were modified as part of this workaround.

    • Modify system settings until the endpoint is patched: If the endpoint is already patched, this option does not modify any system settings. For unpatched endpoints, the Cortex XDR agent runs the following commands to temporarily modify the IPv4 and IPv6 settings until the endpoint is patched. After the endpoint is patched for CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, all modified Windows system settings as part of this workaround are automatically reverted to their values before modification. Palo Alto Networks strongly recommends that you review these commands before applying this workaround in your network to ensure your critical business components are not affected or harmed:

      netsh int ipv6 set global reassemblylimit=0

      This command disables IPv6 fragmentation on the endpoint.

      netsh int ipv4 set global sourceroutingbehavior=drop

      This command disables LSR / loose source routing for IPv4.

    • Revert system settings to your previous settings: Revert all Windows system settings to their values before modification as part of this workaround, regardless of whether the endpoint was patched or not.

    Warning

    This workaround applies only to the specific Windows versions listed as exposed to these CVEs, and requires a Cortex XDR agent release 7.1 or later and content 167-51646 or later. This workaround is not recommended for non-persistent, stateless, or linked-clone environments. In some cases, enabling this workaround can affect the network functionality on the endpoint.

  8. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the macOS platform, and Exploit as the profile type.

    3. Click Next.

    4. Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Browser Exploits Protection, to protect endpoints from malicious or compromised websites.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to exploit browser processes for malicious purposes, it performs the configured action.

  3. Configure Logical Exploits Protection to prevent execution of malicious code using common operating system mechanisms.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to execute malicious code using operating system mechanisms, it performs the configured action.

  4. Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.

  5. Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.

  6. Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.

    Note

    In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:

    • Brute Force Protection

    • Java Deserialization

    • ROP

    • SO Hijacking

    Processes

    If you want to add exploit protection for one or more additional third-party processes, add them here.

    1. Click +Add to configure entries in your Processes list.

    2. Enter the file name of the process that you want to block, and press ENTER.

    3. For additional processes, repeat the previous steps.

  7. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Linux platform, and Exploit as the profile type.

    3. Click Next.

    4. Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.

  3. Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.

  4. Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.

    Note

    In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:

    • Brute Force Protection

    • Java Deserialization

    • ROP

    • SO Hijacking

    Processes

    If you want to add exploit protection for one or more additional third-party processes, add them here.

    1. Click +Add to configure entries in your Processes list.

    2. Enter the file name of the process that you want to block, and press ENTER.

    3. For additional processes, repeat the previous steps.

  5. To save the profile, click Create.