Palo Alto Networks XSIAM Analyst — Question 12

A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors state that the file format cannot be opened. IT has verified that the file server is online and functioning, but that all files have unusual extensions attached to them.
The security analyst reviews alerts within Cortex XSIAM and identifies malicious activity related to a possible ransomware attack on the file server. This incident is then escalated to the incident response team for further investigation.
Upon reviewing the incident, the responders confirm that ransomware was successfully executed on the file server. Other details of the attack are noted below:
An unpatched vulnerability on an externally facing web server was exploited for initial access
The attackers successfully used Mimikatz to dump sensitive credentials that were used for privilege escalation
PowerShell was used on a Windows server for additional discovery, as well as lateral movement to other systems
The attackers executed SystemBC RAT on multiple systems to maintain remote access
Ransomware payload was downloaded on the file server via an external site, "file.io"
Refer to the scenario to answer this question:
The incident responders are attempting to determine why Mimikatz was able to successfully run during the attack.
Which exploit protection profile in Cortex XSIAM should be reviewed to ensure it is configured with an Action Mode of Block?

Answer options

Correct answer: A

Explanation

The correct answer is A, Operating System Exploit Protection, because it specifically targets vulnerabilities in the operating system that could allow tools like Mimikatz to operate. The other options focus on different aspects of security, such as browser exploits and logical exploits, which are not directly relevant to stopping the execution of a credential dumping tool on the operating system level.