https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578119#M6123 <P>We are creating a custom service to handle automatically checking and updating programs (similar to PDQ Deploy, or an RMM tool).</P> <P>We've signed the the created service and tried several ways to disable it from being blocked. The problem is, we are very limited in what we can target with the disable prevention rules.&nbsp;</P> <P>Has anyone run into this and actually allowed it through. We could change the commands to not trigger the alerts as we can see what triggered them by getting the alert data.</P> <P>The point is that if we signed what is running, we'd like to be able to build it out without worrying about coding around XDR's every changing (and hard to extract behavioral rules).</P> <P>&nbsp;</P> <P>We've already attempted to:</P> <OL> <LI>allow our signature in a disable prevention rule</LI> <LI>allow the ending powershell process with a wildcard cmd line argument</LI> </OL> <P>The problem seems to be that the point where the block is triggered happens before the signer is considered. The artifacts show our service as being signed.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_5-1708639694767.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57813i79EEF86C3E8B62CD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_5-1708639694767.png" alt="CJNTS_5-1708639694767.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Screenshot of causality chain nodes below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_2-1708639146320.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57810i615CDA26F1BDA384/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_2-1708639146320.png" alt="CJNTS_2-1708639146320.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_0-1708639964650.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57814i610B807611003B48/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_0-1708639964650.png" alt="CJNTS_0-1708639964650.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_3-1708639258518.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57811i1028536C4EB03891/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_3-1708639258518.png" alt="CJNTS_3-1708639258518.png" /></span></P> <P>Disable Prevention Rules does not give us any way to address this.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_4-1708639365181.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57812i4C718043F3318B5F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_4-1708639365181.png" alt="CJNTS_4-1708639365181.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Feb 2024 22:12:52 GMT CJNTS 2024-02-22T22:12:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578119#M6123 <P>We are creating a custom service to handle automatically checking and updating programs (similar to PDQ Deploy, or an RMM tool).</P> <P>We've signed the the created service and tried several ways to disable it from being blocked. The problem is, we are very limited in what we can target with the disable prevention rules.&nbsp;</P> <P>Has anyone run into this and actually allowed it through. We could change the commands to not trigger the alerts as we can see what triggered them by getting the alert data.</P> <P>The point is that if we signed what is running, we'd like to be able to build it out without worrying about coding around XDR's every changing (and hard to extract behavioral rules).</P> <P>&nbsp;</P> <P>We've already attempted to:</P> <OL> <LI>allow our signature in a disable prevention rule</LI> <LI>allow the ending powershell process with a wildcard cmd line argument</LI> </OL> <P>The problem seems to be that the point where the block is triggered happens before the signer is considered. The artifacts show our service as being signed.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_5-1708639694767.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57813i79EEF86C3E8B62CD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_5-1708639694767.png" alt="CJNTS_5-1708639694767.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Screenshot of causality chain nodes below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_2-1708639146320.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57810i615CDA26F1BDA384/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_2-1708639146320.png" alt="CJNTS_2-1708639146320.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_0-1708639964650.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57814i610B807611003B48/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_0-1708639964650.png" alt="CJNTS_0-1708639964650.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_3-1708639258518.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57811i1028536C4EB03891/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_3-1708639258518.png" alt="CJNTS_3-1708639258518.png" /></span></P> <P>Disable Prevention Rules does not give us any way to address this.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CJNTS_4-1708639365181.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57812i4C718043F3318B5F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CJNTS_4-1708639365181.png" alt="CJNTS_4-1708639365181.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Feb 2024 22:12:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578119#M6123 CJNTS 2024-02-22T22:12:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578177#M6129 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/258598">@CJNTS</a>, thanks for reaching us using the Live Community.</P> <P>Is the powershell script located in a specific folder?</P> <P>Have you tried with a Legacy Agent Exception for the Behavioral Threat Prevention module which is the one blocking here?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1708693824490.png" style="width: 506px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57825i5BBB742395554DC9/image-dimensions/506x441/is-moderation-mode/true?v=v2" width="506" height="441" role="button" title="jmazzeo_0-1708693824490.png" alt="jmazzeo_0-1708693824490.png" /></span></P> <P>&nbsp;</P> Fri, 23 Feb 2024 13:11:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578177#M6129 jmazzeo 2024-02-23T13:11:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578183#M6134 <DIV class="lia-quilt-row lia-quilt-row-message-main"> <DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-main-content"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"> <DIV id="bodyDisplay_5879018fae17d3_57734" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>We've looked into that, but don't want to take that route.</P> <P>As we build things out, different scripts will run from the same folder structure. To create this rule, we'd have to make a bunch of exceptions for each file path, or wild card the last piece (script name).</P> <P>From what I've looked at if we did it this way we wouldn't be able to also evaluate the signer. I think this may work, but it would be creating a bigger hole in protection than we're aiming for.</P> <P>&nbsp;</P> <P>If I'm wrong on any of that, please let me know. We really want to evaluate based on the signer. If we could consider a wildcard file path AND the signer, this would be a consideration.</P> </DIV> </DIV> </DIV> </DIV> </DIV> Fri, 23 Feb 2024 13:38:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/disable-protection-rule-for-remote-initiated-behavioral-threat/m-p/578183#M6134 CJNTS 2024-02-23T13:38:51Z