About RNance

RNance · ‎02-10-2021

Yes, however when creating an exception in that manner, all it really does (or at least says) is that will create a Generic alert based on the process name powershell.exe. However, I need it to go beyond just powershell.exe and to include the cmdlet. Essentially, I need to create an exception based more on the "Initiator Cmd" as opposed to just the "Initiated By". The way the exception is perceived is that you are providing an exception just to powershell.exe, which is too broad. I was envisioning something akin to Malicious Child Process Protection where you can define a child process command line param. The difference here is that powershell is the parent process and there is no child process in this example. Thanks.

RNance · ‎02-10-2021

For the past couple of days, we have received a low priority alert with the following params: Source: XDR Agent Category: Exploit Action: Prevented (Blocked) In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet. My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.

Member Since	‎05-03-2018 07:10 AM
Date Last Visited	‎02-16-2023 04:02 PM
Posts	2

Online Status	Offline
Date Last Visited	‎02-16-2023 04:02 PM

About RNance

Re: Trying to create an exclusion for a process with a specific cmdlet (exploit)

Trying to create an exclusion for a process with a specific cmdlet (exploit)

Re: Trying to create an exclusion for a process with a specific cmdlet (exploit)

Trying to create an exclusion for a process with a specific cmdlet (exploit)