u/Positive-Sir-3789

A user opened a malicious ScreenConnect MSI - it appears that it tried to download part of the payload from a site that Palo has flagged as malware. This may have prevented further infection.

The site was orlixan cfd - all this traffic was sink holed and there is no screenconnect app traffic on the firewall.

I'm trying to confirm the user clicked the MSI to install the malicious ScreenConnect and then reached out to download the payload from the malware site, but was unsuccessful and no traffic for ScreenConnect was detected by the Palo since it failed and sink holed the malware domain.

Unfortunately the user not aware if they opened or the MSI was at all. The analysis shortly after the download.

This just started today, but we have endpoints now that are showing up as base64 characters, they don't even decode to the same of the endpoint either. Just wondering if anyone else is experiencing this in their visibility queries?

Hello, we have a visibility query that displays any of a group of users that login to machines, but is it possible to identify the users logging in based on one of the key administrator SIDs, e.g., local or domain admin groups?