This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Blocking of Powershell execution

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking of Powershell execution

Shashanksinha
L3 Networker

‎03-01-2023 11:52 PM

 

Hello,

We need to block PowerShell executions on the some endpoints.  how can we block Powershell dll files so that PowerShell cannot be loaded.

 

We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude such legitimate executions by creation exceptions for CGO name?

 

Regards,

Shashank

0 Likes Likes
2 REPLIES 2

mavraham
L4 Transporter

‎03-02-2023 07:45 AM

Hi @Shashanksinha 

Thank you for writing to Live Community!

One way to go about it would be creating a BIOC rule (like you already have) and then adding it to a new restrictions profile.  

 


Assuming the BIOC rule that you have created is blocking both legitimate and illegitimate powershell executions the correct way to go about it would be to indeed create an exceptions profile.

You can do so either by adding a new exceptions security profile, or, starting with version 3.5, create a new legacy exception rule, choose the process you wish to exclude and choose whether you want to apply it globally or to a specific profile (see example in the screenshot below).

mavraham_0-1677771399541.png


Lastly, I’d like to refer you to this article from our research team about the existing BTP rules that already help detect and block powershell related executions.


Hope this helps!






Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

0 Likes Likes

Rahul9
L1 Bithead

‎04-23-2023 10:21 PM - edited ‎04-23-2023 10:23 PM

Hi @Mavraham,

 

Usually, PowerShell is used by multiple legitimate applications in the environment. A BIOC rule get disabled automatically after 5000 alerts. I believe continuous whitelisting and provide excpetions is the only way. Please help in case you believe there are better ways to achieve the following usecase:

 

Reuiqrement:

Block PowerShell usage in the environment and allow only legitimate ones. We have identified the legitimate CGO's but unable to identify a method to whitelist these processes.

 

Queries:

1. Restrisction policy - Is it possible to whitelist legitimate parent processes (CGO's) in the restriction profile and block all other PowerShell executions?

2. BIOC rule - Exceptions can be provided but rule gets disabled once it hits 5k alerts in 24 hours which is by design?

 

Thanks in advance.

 

Regards,

Rahul

0 Likes Likes
  • 1356 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks