Blocking Powershell Execution

Shahwaz_Md — Thu, 02 Mar 2023 06:04:19 GMT

Hi,

Is it possible to block PowerShell execution on all endpoints through CortexXDR, if possible kindly give the process to do the same?

Thanks

Re: Blocking Powershell Execution

jtalton — Thu, 02 Mar 2023 17:02:28 GMT

Hi Shahwaz_Md,

XDR utilizes custom BIOC rules where you create BIOC rules based on the set of attribute-value pairs to automatically convert the leads into alerts. Please also reference detections in the XDR analytics alert reference for possible alerts relating uncommon PowerShell commands/ scheduled tasks.

To create a BIOC rule, navigate to Incident Response> Query Builder> then select XQL search. Here, you can enter an XQL query to identify endpoints executing PowerShell. To get started, here is a query to test:

dataset = xdr_data // Using the XDR dataset | filter lowercase(actor_process_image_name) = "powershell.exe"and action_evtlog_username not contains "system"// Filtering for parent process is powershell.exe and filtering out system | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and lowercase(actor_process_image_name) = "powershell.exe" // Filtering for parent process is powershell.exe | alter process_cmd = if(lowercase(action_process_image_command_line) contains "c:\users", replex(lowercase(action_process_image_command_line), "c:\\users\\[a-zA-Z0-9.]*", "c:\\users\\USERNAME"), action_process_image_command_line) // Running an alter command to make sure the functions later ignore differences in user paths | fields action_process_image_name as process_name, action_process_image_command_line as process_cmd, event_id,agent_hostname as hostname, actor_process_image_path as process_path, causality_actor_process_image_path as cgo_path, causality_actor_process_command_line as cgo_cmd // Getting the relevant fields

Once the XQL query is complete, you can create a BIOC rule utilizing its insightful information. BIOC rules can be added via Detection Rules > BIOC > + Add BIOC.

To block, you can add the BIOC rule via a Customer Prevention rule in the Restrictions Profile.

The Restriction profile allows you to apply custom made BIOC's that upon detection will be prevented by the agent, in case you are using the default profiles then no prevention will take place but the detection will happen if the BIOC rule is configured in your BIOC repository (preconfigured or custom made BIOCs).

Here is a walkthrough of the process Custom Prevention Rules| Palo Alto Networks

After testing is complete, to narrow the scope, consider applying this BIOC/Restrictions profile to endpoints via a policy applied to an endpoint group.

If you found this response helpful, please like and click Accept as Solution.

Thanks,

Jtalton

Re: Blocking Powershell Execution

Rahul9 — Mon, 24 Apr 2023 05:24:15 GMT

Hi Jtalton,

Usually, PowerShell is used by multiple legitimate applications in the environment. A BIOC rule get disabled automatically after 5000 alerts. I believe continuous whitelisting and provide excpetions is the only way. Please help in case you believe there are better ways to achieve the following usecase:

Reuiqrement:

Block PowerShell usage in the environment and allow only legitimate ones. We have identified the legitimate CGO's but unable to identify a method to whitelist these processes.

Queries:

1. Restrisction policy - Is it possible to whitelist legitimate parent processes (CGO's) in the restriction profile and block all other PowerShell executions?

2. BIOC rule - Exceptions can be provided but rule gets disabled once it hits 5k alerts in 24 hours which is by design?

3. Do let us know if there is any other method to achieve this.

Thanks in advance.

Regards,

Rahul

topic Re: Blocking Powershell Execution in Cortex XDR Discussions

Blocking Powershell Execution

Re: Blocking Powershell Execution

Re: Blocking Powershell Execution