Hello everyone
Recently i have started to receive logs with "Modified Executable - Connection from an In-Memory Modified Executable" rule. I did not manage to find information about this rule on the internet but still want to understand what this event means, which behaviour triggers this rule, is this something malicious or i shouldnt worry about it at all?
Here is full log:
<133>1 2023-09-25T10:42:01.000Z forti10.fortiedr.com FortiEDR - - - Message Type: Security Event;Organization: ;Organization ID: ;Event ID: 33649969;Raw Data ID: 1932815690;Device Name: ;Device State: Running;Operating System: Windows 10 Pro;Process Name: rooksbas.dll;Process Path: \Device\HarddiskVolume3\Program Files (x86)\Trusteer\Rapport\bin\rooksbas.dll;Process Type: 32bit;Severity: Medium;Classification: Likely Safe;Destination: 41.72.45.1;First Seen: 22-Sep-2023, 18:26:21;Last Seen: 25-Sep-2023, 12:42:01;Action: Blocked;Count: 92;Certificate: yes;Rules List: Modified Executable - Connection from an In-Memory Modified Executable;Users: N/A;MAC Address: 75-EE-34-CB-21-E1;Script: N/A;Script Path: N/A;Autonomous System: 8075 MICROSOFT-CORP-MSN-AS-BLOCK;Country: Netherlands;Process Hash: 13FC7A6CE7B1AEAB65E46E0BC245F9DB88B57B17;Source IP: 10.0.61.19;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: N/A;Target: \Device\HarddiskVolume3\Windows\System32\drivers\msseccore.sys, \Device\HarddiskVolume3\Windows\System32\wininit.exe, \Device\HarddiskVolume3\Windows\System32\smss.exe, \Device\HarddiskVolume3\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe, \Device\HarddiskVolume3\Windows\System32\services.exe;Command line: 000000cc 00000088 ;Remote Connection: N/A
The log indicates a potential security event involving a modified executable in memory attempting a connection. The process involved, rooksbas.dll, is associated with Trusteer Rapport, a legitimate security software. The system classified the event as "Likely Safe" with medium severity, and the connection attempt was blocked. The destination IP relates to Microsoft. Given these details, this event might be a false positive triggered by Trusteer Rapport's behavior or updates. However, it's advisable to verify the software's source, consult with FortiEDR support, and continuously monitor for similar logs to ensure system integrity.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.