Home Cortex XDR Config Extractor
Post
Cancel

Cortex XDR Config Extractor

Posted Mar 3, 2023
By Williams A. Danso
1 min read

The purpose of this tool is to be utilized in Red Team Assessments and for auditing XDR Settings.

With this tool its possible to parse the Database Lock Files of the Cortex XDR Agent by Palo Alto Networks and extract Agent Settings, the Hash and Salt of the Uninstall Password, as well as possible Exclusions.

Supported Extractions

  • Uninstall Password Hash & Salt
  • Excluded Signer Names
  • DLL Security Exclusions & Settings
  • PE Security Exclusions & Settings
  • Office Files Security Exclusions & Settings
  • Credential Gathering Module Exclusions
  • Webshell Protection Module Exclusions
  • Childprocess Executionchain Exclusions
  • Behavorial Threat Module Exclusions
  • Local Malware Scan Module Exclusions
  • Memory Protection Module Status
  • Global Hash Exclusions
  • Ransomware Protection Module Modus & Settings

Usage

Usage:

1

./XDRConfExtractor.py [Filename].ldb

Help:

1

 ./XDRConfExtractor.py -h

Getting Hold of Database Lock Files

Agent Version <7.8

Before Agent Version 7.8, any user who was authenticated could create a Support File on Windows using the Cortex XDR Console located in the System Tray. If you unzip the file, you will be able to locate the database lock files.

1

logs_[ID].zip\Persistence\agent_settings.db\

Agent Version ≥7.8

Files from Agents running Version 7.8 or above are encrypted. However, if you have elevated privileges on the Windows machine, you can copy the files directly from the specified directory without encryption.

Method I

1

C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db\

Method II

Support Files that are generated are not regularly deleted, which means it is possible to come across old, unencrypted Support Files in the designated folder.

1

C:\Users\[Username]\AppData\Roaming\PaloAltoNetworks\Traps\support\

Agent Version >8.1

It is believed that it is no longer feasible to retrieve data from the lock files starting from Agent version 8.1. However, this assertion has not yet been verified through testing.

Credit

The functionality of this tool is based on a technique that was initially introduced by mr.d0x in April 2022 https://mrd0x.com/cortex-xdr-analysis-and-bypass/

Usage of Cortex-XDR-Config-Extractor for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.


⚠ ONLY USE FOR EDUCATIONAL PURPOSES ⚠

Tools & Frameworks, Scanners
scanners
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents