Process and Path are showing as System for an IOC alert

Process and Path are showing as System for an IOC alert

773
Created On 03/18/25 13:06 PM - Last Modified 03/18/25 16:35 PM


Symptom


• An XDR alert detected a connection to an IOC IP address.
• The "system" process initiated the connection.
•The path of the process is "system"

Environment


Product_versions

  • Cortex XDR version:  V3.13
  • Cortex XDR Agent for Windows

Cause


The reason that the path and the process are showing as System, is that the System process is a pseudo-process that refers to the OS kernel in Microsoft Windows. 

Resolution


As the "system" process and path refer to the Windows OS kernel, this IOC may be referring to a Kernel level exploit. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HFExCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail