03-01-2023 10:04 PM
Hi,
Is it possible to block PowerShell execution on all endpoints through CortexXDR, if possible kindly give the process to do the same?
Thanks
03-02-2023 09:02 AM
Hi Shahwaz_Md,
XDR utilizes custom BIOC rules where you create BIOC rules based on the set of attribute-value pairs to automatically convert the leads into alerts. Please also reference detections in the XDR analytics alert reference for possible alerts relating uncommon PowerShell commands/ scheduled tasks.
To create a BIOC rule, navigate to Incident Response> Query Builder> then select XQL search. Here, you can enter an XQL query to identify endpoints executing PowerShell. To get started, here is a query to test:
dataset = xdr_data // Using the XDR dataset
| filter lowercase(actor_process_image_name) = "powershell.exe"and action_evtlog_username not contains "system"// Filtering for parent process is powershell.exe and filtering out system
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and lowercase(actor_process_image_name) = "powershell.exe" // Filtering for parent process is powershell.exe
| alter process_cmd = if(lowercase(action_process_image_command_line) contains "c:\users", replex(lowercase(action_process_image_command_line), "c:\\users\\[a-zA-Z0-9.]*", "c:\\users\\USERNAME"), action_process_image_command_line) // Running an alter command to make sure the functions later ignore differences in user paths
| fields action_process_image_name as process_name, action_process_image_command_line as process_cmd, event_id,agent_hostname as hostname, actor_process_image_path as process_path, causality_actor_process_image_path as cgo_path, causality_actor_process_command_line as cgo_cmd // Getting the relevant fields
Once the XQL query is complete, you can create a BIOC rule utilizing its insightful information. BIOC rules can be added via Detection Rules > BIOC > + Add BIOC.
To block, you can add the BIOC rule via a Customer Prevention rule in the Restrictions Profile.
The Restriction profile allows you to apply custom made BIOC's that upon detection will be prevented by the agent, in case you are using the default profiles then no prevention will take place but the detection will happen if the BIOC rule is configured in your BIOC repository (preconfigured or custom made BIOCs).
Here is a walkthrough of the process Custom Prevention Rules| Palo Alto Networks
After testing is complete, to narrow the scope, consider applying this BIOC/Restrictions profile to endpoints via a policy applied to an endpoint group.
If you found this response helpful, please like and click Accept as Solution.
Thanks,
Jtalton
04-23-2023 10:24 PM
Hi Jtalton,
Usually, PowerShell is used by multiple legitimate applications in the environment. A BIOC rule get disabled automatically after 5000 alerts. I believe continuous whitelisting and provide excpetions is the only way. Please help in case you believe there are better ways to achieve the following usecase:
Reuiqrement:
Block PowerShell usage in the environment and allow only legitimate ones. We have identified the legitimate CGO's but unable to identify a method to whitelist these processes.
Queries:
1. Restrisction policy - Is it possible to whitelist legitimate parent processes (CGO's) in the restriction profile and block all other PowerShell executions?
2. BIOC rule - Exceptions can be provided but rule gets disabled once it hits 5k alerts in 24 hours which is by design?
3. Do let us know if there is any other method to achieve this.
Thanks in advance.
Regards,
Rahul
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
