https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/532897#M3744 <P>&nbsp;</P> <P>Hello,</P> <P>We need to block PowerShell executions on the some endpoints.&nbsp; how can we block Powershell dll files so that PowerShell cannot be loaded.</P> <P>&nbsp;</P> <P>We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude such legitimate executions by creation exceptions for CGO name?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Shashank</P> <P><LI-WRAPPER></LI-WRAPPER></P> Thu, 02 Mar 2023 07:52:48 GMT Shashanksinha 2023-03-02T07:52:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/532897#M3744 <P>&nbsp;</P> <P>Hello,</P> <P>We need to block PowerShell executions on the some endpoints.&nbsp; how can we block Powershell dll files so that PowerShell cannot be loaded.</P> <P>&nbsp;</P> <P>We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude such legitimate executions by creation exceptions for CGO name?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Shashank</P> <P><LI-WRAPPER></LI-WRAPPER></P> Thu, 02 Mar 2023 07:52:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/532897#M3744 Shashanksinha 2023-03-02T07:52:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/532973#M3751 <P><SPAN>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/203123">@Shashanksinha</a>&nbsp;</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Thank you for writing to Live Community!</SPAN><SPAN><BR /></SPAN><SPAN><BR />One way to go about it would be creating a BIOC rule (like you already have) and then adding it to a&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/WildFire-Analysis-Concepts" target="_self">new restrictions profile.</A>&nbsp;&nbsp;<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><BR /></SPAN><SPAN>Assuming the BIOC rule that you have created is blocking both legitimate and illegitimate powershell executions the correct way to go about it would be to indeed create an exceptions profile.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>You can do so either by </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-a-New-Exceptions-Security-Profile" target="_blank"><SPAN>adding a new exceptions security profile</SPAN></A><SPAN>, or, starting with version 3.5, create a new </SPAN><A href="https://docs-cortex.paloaltonetworks.com/search/all?query=Add+a+Legacy+Exception+Rule&amp;filters=Product~%2522Cortex+XDR%2522&amp;content-lang=en-US" target="_blank"><SPAN>legacy exception rule</SPAN></A><SPAN>, choose the process you wish to exclude and choose whether you want to apply it globally or to a specific profile (see example in the screenshot below).</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mavraham_0-1677771399541.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48372i949E4CC31B122A67/image-size/medium?v=v2&amp;px=400" role="button" title="mavraham_0-1677771399541.png" alt="mavraham_0-1677771399541.png" /></span></P> <P><SPAN><BR /></SPAN><SPAN>Lastly, I’d like to refer you to </SPAN><A href="https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/" target="_blank"><SPAN>this article</SPAN></A><SPAN> from our research team about the existing BTP rules that already help detect and block powershell related executions.<BR /><BR /><BR />Hope this helps!<BR /><BR /><BR /><BR /></SPAN></P> <P><BR /><BR /><BR /></P> Thu, 02 Mar 2023 15:45:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/532973#M3751 mavraham 2023-03-02T15:45:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/539852#M4217 <P>Hi&nbsp;@<A id="link_15" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148" target="_self" aria-label="View Profile of mavraham"><SPAN class="">Mavraham</SPAN></A>,</P> <P>&nbsp;</P> <P>Usually, PowerShell is used by multiple legitimate applications in the environment. A BIOC rule get disabled automatically after 5000 alerts. I believe continuous whitelisting and provide excpetions is the only way. Please help in case you believe there are better ways to achieve the following usecase:</P> <P>&nbsp;</P> <P>Reuiqrement:</P> <P>Block PowerShell usage in the environment and allow only legitimate ones. We have identified the legitimate CGO's but unable to identify a method to whitelist these processes.</P> <P>&nbsp;</P> <P>Queries:</P> <P>1. Restrisction policy - Is it possible to whitelist legitimate parent processes (CGO's) in the restriction profile and block all other PowerShell executions?</P> <P>2. BIOC rule - Exceptions can be provided but rule gets disabled once it hits 5k alerts in 24 hours which is by design?</P> <P>&nbsp;</P> <P>Thanks in advance.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Rahul</P> Mon, 24 Apr 2023 05:23:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-of-powershell-execution/m-p/539852#M4217 Rahul9 2023-04-24T05:23:00Z