Blocking of Powershell execution

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking of Powershell execution

L3 Networker

 

Hello,

We need to block PowerShell executions on the some endpoints.  how can we block Powershell dll files so that PowerShell cannot be loaded.

 

We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude such legitimate executions by creation exceptions for CGO name?

 

Regards,

Shashank

2 REPLIES 2

L4 Transporter

Hi @Shashanksinha 

Thank you for writing to Live Community!

One way to go about it would be creating a BIOC rule (like you already have) and then adding it to a new restrictions profile.  

 


Assuming the BIOC rule that you have created is blocking both legitimate and illegitimate powershell executions the correct way to go about it would be to indeed create an exceptions profile.

You can do so either by adding a new exceptions security profile, or, starting with version 3.5, create a new legacy exception rule, choose the process you wish to exclude and choose whether you want to apply it globally or to a specific profile (see example in the screenshot below).

mavraham_0-1677771399541.png


Lastly, I’d like to refer you to this article from our research team about the existing BTP rules that already help detect and block powershell related executions.


Hope this helps!






Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

L1 Bithead

Hi @Mavraham,

 

Usually, PowerShell is used by multiple legitimate applications in the environment. A BIOC rule get disabled automatically after 5000 alerts. I believe continuous whitelisting and provide excpetions is the only way. Please help in case you believe there are better ways to achieve the following usecase:

 

Reuiqrement:

Block PowerShell usage in the environment and allow only legitimate ones. We have identified the legitimate CGO's but unable to identify a method to whitelist these processes.

 

Queries:

1. Restrisction policy - Is it possible to whitelist legitimate parent processes (CGO's) in the restriction profile and block all other PowerShell executions?

2. BIOC rule - Exceptions can be provided but rule gets disabled once it hits 5k alerts in 24 hours which is by design?

 

Thanks in advance.

 

Regards,

Rahul

  • 1245 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!