02-10-2021 06:38 AM
For the past couple of days, we have received a low priority alert with the following params:
Source: XDR Agent
Category: Exploit
Action: Prevented (Blocked)
In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet.
My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.
02-10-2021 08:00 AM
Hi @RNance,
My recommendation would be to create an exception for this activity. The exception would only allow the custom script to get past only the referenced exploit protection rule while still applying other exploit protection rules as desired. You can create an exception for this exploit rule by right-clicking the alert, going to "manage alert," and then selecting "create alert exception."
This exception can be applied globally or to a specific profile that would only affect a set of devices, whichever is more appropriate for your environment. Given that your description only mentions one terminal server, I would recommend creating a unique exceptions profile and applying it only to that endpoint. Instructions on how to create an exceptions profile can be found here.
02-10-2021 10:33 AM - edited 02-10-2021 10:34 AM
Yes, however when creating an exception in that manner, all it really does (or at least says) is that will create a Generic alert based on the process name powershell.exe. However, I need it to go beyond just powershell.exe and to include the cmdlet. Essentially, I need to create an exception based more on the "Initiator Cmd" as opposed to just the "Initiated By". The way the exception is perceived is that you are providing an exception just to powershell.exe, which is too broad.
I was envisioning something akin to Malicious Child Process Protection where you can define a child process command line param. The difference here is that powershell is the parent process and there is no child process in this example. Thanks.
02-10-2021 10:42 AM
Hi @RNance,
Creating an exception would prevent the rule from executing, allowing the PowerShell script to run. The alert, on the other hand, may well be generated in a generic format, which can be suppressed via exclusion. However, permitting the script to run is a use-case for the exploit rule exception. Furthermore, exploit protection exceptions do not support target scripts as a parameter at this moment in time. That would be a feature request at this point, which your account team should be able to report on.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
