https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584810#M6589 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>,&nbsp;<BR /><BR /></P> <P><BR />Thanks, I know this detection functionality, together with an automation with "terminate casuality chain" that kills the powershell process can be a "solution".</P> <P>This feature requires XTH - Xtended Threat Hunting license (which I don't have).</P> <P><BR />The only drawback I see to this solution is that it is an asynchronous solution (it works after executing the command, in this case the cmdlet).</P> Wed, 24 Apr 2024 16:09:02 GMT agirones 2024-04-24T16:09:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584640#M6567 <P>Hello everyone,<BR /><BR /></P> <P>I would like to know if any of you have struggled with support and technical cases with the need I show below.<BR /><BR /></P> <P>I would like to know what you can tell me or give me your opinion about taking action against powershell cmdlets.</P> <P>After several cases and meetings with support, I can't get a solid answer to my needs about restricting some powershell cmdlets.<BR /><BR />I hope to find a solution that fits my needs, thanks anyway.</P> Tue, 23 Apr 2024 14:57:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584640#M6567 agirones 2024-04-23T14:57:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584663#M6568 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270645">@agirones</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Can you share more information about what cmdlets you are trying to detect or block? Do you have some example?</P> <P>Maybe I can do some test in my lab and try to help you.</P> Tue, 23 Apr 2024 17:37:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584663#M6568 jmazzeo 2024-04-23T17:37:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584735#M6579 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>, thaks for your interest and trying to help!<BR /><BR /></P> <P>Example, I want to restrict cmdlet like:<BR /><BR /></P> <P>Set-ItemProperty -Path<BR />Remove-ItemProperty -Path<BR />Invoke-AADintReconAsOutsider<BR />Remove-DomainObjectACL</P> Wed, 24 Apr 2024 06:25:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584735#M6579 agirones 2024-04-24T06:25:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584800#M6587 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/270645">@agirones</a>, I believe that this could work for you.</P> <P>&nbsp;</P> <UL> <LI>Create a new custom BIOC rule going to <STRONG>Detection Rules - BIOC</STRONG></LI> <LI>Select the Event Log type. The powershell cmdlets details are taken from the windows event log.</LI> <LI>Set a name, and put all the required commands in the "Message" field in this format:</LI> </UL> <P>*Set-ItemProperty -Path*|*Remove-ItemProperty -Path*|*Invoke-AADintReconAsOutsider*|*Remove-DomainObjectACL*</P> <P>&nbsp;</P> <P>Use the "|" character as an OR separator, and the "*" as wildcard.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1713968206618.png" style="width: 673px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59260i46DE7101D83F3CBD/image-dimensions/673x133/is-moderation-mode/true?v=v2" width="673" height="133" role="button" title="jmazzeo_0-1713968206618.png" alt="jmazzeo_0-1713968206618.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Before save it you can test it to check if you have some matching events.&nbsp;</LI> <LI>You will see the&nbsp; command details by opening the "View event log message" from the results.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_1-1713968439612.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59261iBAAC289C89616C64/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_1-1713968439612.png" alt="jmazzeo_1-1713968439612.png" /></span></LI> <LI>This is how you will see the details:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_2-1713968503140.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59262i4668426563969757/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_2-1713968503140.png" alt="jmazzeo_2-1713968503140.png" /></span></LI> <LI>Alerts generated:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_3-1713968799553.png" style="width: 651px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59263i0A237EA76DC3FB70/image-dimensions/651x109/is-moderation-mode/true?v=v2" width="651" height="109" role="button" title="jmazzeo_3-1713968799553.png" alt="jmazzeo_3-1713968799553.png" /></span> <P>&nbsp;</P> </LI> </UL> <P>&nbsp;</P> <P><STRONG>This works for cmdlets running in a live powershell console in the host, and it will also detect this commands running from scripts.</STRONG></P> <P>&nbsp;</P> <P>The "Event log" type BIOC Rules can't be used to block, only for notifications.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Wed, 24 Apr 2024 14:27:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584800#M6587 jmazzeo 2024-04-24T14:27:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584810#M6589 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>,&nbsp;<BR /><BR /></P> <P><BR />Thanks, I know this detection functionality, together with an automation with "terminate casuality chain" that kills the powershell process can be a "solution".</P> <P>This feature requires XTH - Xtended Threat Hunting license (which I don't have).</P> <P><BR />The only drawback I see to this solution is that it is an asynchronous solution (it works after executing the command, in this case the cmdlet).</P> Wed, 24 Apr 2024 16:09:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detect-and-restrict-powershell-cmdlets/m-p/584810#M6589 agirones 2024-04-24T16:09:02Z