Oct 05 2022 09:16 AM
Hi,
We recently identified (Monday, October 3, 2022) that there was being flagged as a high behavioral threat by our endpoint protection (Cortex XDR) on multiple computers across our organization; upon checking the incident case, All of them are being executed by msedge_proxy.exe which chains its command to sihost.exe. I want to know if this is a false positive and if it's normal or a bug. Please see the details I can provide below:
Cortex Info:
Alert Name: Behavioral Threat
Source: XDR Agent
Category: Malware
Module: Behavioral Threat Protection
Severity: High
Description: Behavioral threat detected (rule: parent_process_spoofing)
Action: Detected (Reported)
Process Information:
Command Line : "c:\program files (x86)\microsoft\edge\application\msedge_proxy.exe" --notification-launch-id=0|1|default|0|https://mail.google.com/|n#https://mail.google.com#fnjqw9hny8w/114987728825504974251
Original Command Line : "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --notification-launch-id=0|1|Default|0|https://mail.google.com/|n#https://mail.google.com#FnJqW9hNy8w/114987728825504974251
File Name : msedge_proxy
Description : microsoft edge
Company : microsoft corporation
Copyright : copyright microsoft corporation. all rights reserved.
Original Name : msedge_proxy.exe
Signature Status : Signed
Singature Details : Valid
Signer : Microsoft Corporation
Loaded From TxF : 0
Parent PID : 15176
Image Path : c:\program files (x86)\microsoft\edge\application\msedge_proxy.exe
Image SHA256 : 89e4d5d11099e0667541e78977444ebe5d41e536f8c23403957d7da3be634f1f
Image MD5 : 131707b12b97b5a0e810dd7a0d4038dc
Effective SID : S-1-5-21-584199959-4099986459-2772195892-1168
From Remote Session : 0
Parent Thread ID : 4294967295
StartupInfo Parent PID : 9276
OS Parent PID : 9940
This is one of the computers reporting we detecting all triggering the endpoint with the msedge_proxy.
Oct 10 2022 06:44 AM
@lecksbush25 We are also seeing this issue in our Cortex tenant on a few computers. Any updates or additional information on this one?
Oct 10 2022 02:09 PM