Create a query to investigate the connections between
image load activity, acting processes, and endpoints.
From the Query Builder you can investigate
connections between image load activity, acting processes, and endpoints.
examples of image load queries you can run include:
load into process events by module path or hash.
build an image load query:
From Cortex XDR, select
Enter the search criteria for the image load activity
Type of image activity:
Change Page Protection
Identifying information about the image module: Full
By default, Cortex XDR will
return the activity that matches all the criteria you specify. To
exclude a value, toggle the
Limit the scope to a specific acting process:
and specify one
or more of the following attributes for the acting (parent) process.
Use a pipe (
to separate multiple values. Use an asterisk (
to match any string of characters.
—Name of the parent process.
—Path to the parent process.
—Command-line used to initiate
the parent process including any arguments, up to 128 characters.
—MD5 hash value of the parent process.
—SHA256 hash value of the process.
—User who executed the process.
—Signing status of the parent
process: Signed, Unsigned, N/A, Invalid Signature, Weak Hash
—Entity that signed the certificate
of the parent process.
—Process ID of the parent process.
Run search on process, Causality and OS actors
causality actor—also referred to as the causality group owner (CGO)—is
the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The
OS actor is the parent process that creates an OS process on behalf
of a different initiator. By default, this option is enabled to
apply the same search criteria to initiating processes. To configure
different attributes for the parent or initiating process, clear
Limit the scope to an endpoint or endpoint attributes:
and specify one
or more of the following attributes: