waterfox as exploit by cisco

here is the even log,
Every day I was getting a warning about an exploit found and blocked from cisco secure point. somehting like the following:
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="CiscoSecureEndpoint" Guid="{0643104d-3c79-4ed5-9ed4-cd8e803fea9c}" /> 
  <EventID>106</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000020000000</Keywords> 
  <TimeCreated SystemTime="2025-03-05T11:11:35.7998593Z" /> 
  <EventRecordID>23</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="5752" ThreadID="9736" /> 
  <Channel>CiscoSecureEndpoint/Events</Channel> 
  <Computer>CECAD</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="InjecteePID">19060</Data> 
  <Data Name="TimeStamp">1741173095</Data> 
  <Data Name="ProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="AttackInfo">{"afps":"C:\\Program Files\\Waterfox\\waterfox.exe","ams":"kernel32.dll","at":"2025-03-05T11:11:35.518Z","bas":"0x00007FFFC85A0000","edvs":"8.3.7.1","sfs":[""],"sus":[""],"threat_module_s":"Shellcode","threat_sub_module_s":"PEB","u":"user@user"}</Data> 
  <Data Name="SuspiciousFiles" /> 
  <Data Name="ParentProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="ParentProcessPID">9696</Data> 
  <Data Name="ScriptControlBadDll" /> 
  <Data Name="InjecteeFileName">waterfox.exe</Data> 
  <Data Name="InjecteeCommandLine">"C:\Program Files\Waterfox\waterfox.exe" --backgroundtask defaultagent do-task 6F940AC27A98DD61</Data> 
  <Data Name="InjectorPID">0</Data> 
  <Data Name="InjectorFileName" /> 
  <Data Name="InjectorCommandLine" /> 
  </EventData>
  </Event>
```
and when uninstalling waterfox:
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="CiscoSecureEndpoint" Guid="{0643104d-3c79-4ed5-9ed4-cd8e803fea9c}" /> 
  <EventID>106</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000020000000</Keywords> 
  <TimeCreated SystemTime="2025-03-13T12:32:02.5263877Z" /> 
  <EventRecordID>40</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="5524" ThreadID="7920" /> 
  <Channel>CiscoSecureEndpoint/Events</Channel> 
  <Computer>CECAD</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="InjecteePID">2928</Data> 
  <Data Name="TimeStamp">1741869122</Data> 
  <Data Name="ProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="AttackInfo">{"afps":"C:\\Program Files\\Waterfox\\waterfox.exe","ams":"kernel32.dll","at":"2025-03-13T12:32:02.250Z","bas":"0x00007FF9BA050000","edvs":"8.3.7.1","sfs":[""],"sus":[""],"threat_module_s":"Shellcode","threat_sub_module_s":"PEB","u":"user@user"}</Data> 
  <Data Name="SuspiciousFiles" /> 
  <Data Name="ParentProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="ParentProcessPID">10212</Data> 
  <Data Name="ScriptControlBadDll" /> 
  <Data Name="InjecteeFileName">waterfox.exe</Data> 
  <Data Name="InjecteeCommandLine">"C:\Program Files\Waterfox\waterfox.exe" --backgroundtask defaultagent uninstall 6F940AC27A98DD61</Data> 
  <Data Name="InjectorPID">0</Data> 
  <Data Name="InjectorFileName" /> 
  <Data Name="InjectorCommandLine" /> 
  </EventData>
  </Event>
```

```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="CiscoSecureEndpoint" Guid="{0643104d-3c79-4ed5-9ed4-cd8e803fea9c}" /> 
  <EventID>106</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000020000000</Keywords> 
  <TimeCreated SystemTime="2025-03-13T12:32:01.8209049Z" /> 
  <EventRecordID>39</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="5524" ThreadID="7920" /> 
  <Channel>CiscoSecureEndpoint/Events</Channel> 
  <Computer>CECAD</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="InjecteePID">6888</Data> 
  <Data Name="TimeStamp">1741869121</Data> 
  <Data Name="ProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="AttackInfo">{"afps":"C:\\Program Files\\Waterfox\\waterfox.exe","ams":"kernel32.dll","at":"2025-03-13T12:32:01.543Z","bas":"0x00007FF9BA050000","edvs":"8.3.7.1","sfs":[""],"sus":[""],"threat_module_s":"Shellcode","threat_sub_module_s":"PEB","u":"user@user"}</Data> 
  <Data Name="SuspiciousFiles" /> 
  <Data Name="ParentProcessName">C:\Program Files\Waterfox\waterfox.exe</Data> 
  <Data Name="ParentProcessPID">16260</Data> 
  <Data Name="ScriptControlBadDll" /> 
  <Data Name="InjecteeFileName">waterfox.exe</Data> 
  <Data Name="InjecteeCommandLine">"C:\Program Files\Waterfox\waterfox.exe" --backgroundtask uninstall</Data> 
  <Data Name="InjectorPID">0</Data> 
  <Data Name="InjectorFileName" /> 
  <Data Name="InjectorCommandLine" /> 
  </EventData>
  </Event>
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

waterfox as exploit by cisco #221

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

waterfox as exploit by cisco #221

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions