Community Help Hub

Andy

I have a custom PowerShell rule written in order to exclude common false-positives in 6086 & 6223.
I'm trying to exclude based on source description of "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'"

I wrote this signature, but the alert is still firing. Any idea what I missed?

Rule {
Initiator {
Match PROCESS {
Include DESCRIPTION {-v "Windows PowerShell"}
Include DESCRIPTION {-v "Windows PowerShell ISE"}
Include DESCRIPTION {-v "pwsh"}
Include PROCESS_CMD_LINE {-v "* -C*"}
#Custom Exclusions for 6086 and 6223
Exclude PROCESS_CMD_LINE {-v "*-ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'"}
}
}
Target {
Match FILE {
Include OBJECT_NAME {-v "atl.dll}
Include -access "READ"
}
}
}

Daveb3d

You do need ENS 10.7.

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include DESCRIPTION {
				-v "Windows PowerShell"
				-v "Windows PowerShell ISE"
				-v "pwsh"
			}
			Include PROCESS_CMD_LINE { -v "* -C*"}
			#Custom Exclusions for 6086 and 6223
			Exclude PROCESS_CMD_LINE { -v "*-ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'*"}
			Include -access "CREATE"
		}
	}
}

View solution in original post

Daveb3d

I'm assuming you don't want PowerShell loading that DLL?

Let me condense the rule a bit and actually look for the load rather than just the read, which will be more intensive.

Rule {
	Process {
		Include DESCRIPTION {
			-v "Windows PowerShell"
			-v "Windows PowerShell ISE"
			-v "pwsh"
		}
		Include PROCESS_CMD_LINE { -v "* -C*"}
		#Custom Exclusions for 6086 and 6223
		Exclude PROCESS_CMD_LINE { -v "*-ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'*"}
	}
	Target {
		Match SECTION {
			Include OBJECT_NAME { -v "atl.dll" }
			Include -access "CREATE"
		}
	}
}

I tried just adding a * at the end of the command line. See if that helps. Sometimes there is a trailing space you don't see in the logs.

Andy

Actually, I'm using atl.dll as a trigger for my PowerShell signatures. Anytime PowerShell is accessed, it performs a READ and EXECUTE of atl.dll.

Using this, I can then exclude certain strings, such as "*-ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'"

I can apply this in place of the standard 6086 and other PowerShell commands, for which I cannot write discreet exceptions.

The goal is to block anything EXCEPT what's listed in the Exclude PROCESS_CMD_LINE strings

Daveb3d

Why not just make ps the target process? Better for forensics and you can use the parent as a source of exclusions

Andy

I'm not certain what that would look like. Do you have an example?

Daveb3d

You do need ENS 10.7.

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include DESCRIPTION {
				-v "Windows PowerShell"
				-v "Windows PowerShell ISE"
				-v "pwsh"
			}
			Include PROCESS_CMD_LINE { -v "* -C*"}
			#Custom Exclusions for 6086 and 6223
			Exclude PROCESS_CMD_LINE { -v "*-ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'*"}
			Include -access "CREATE"
		}
	}
}

Andy

Thank you for the response. This is pretty straight-forward. I was trying to be more specific because I figured that the method you recommend will be more process intensive.

Now that I'm looking at bosigcanned.xml and reviewing their writing process, it looks much the same as the methodology you're using.
I'm waiting for a trigger, but this looks good enough to be considered as the answer. Thank you again!

Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Re: Custom PowerShell rule keeps firing after exclusion

Community Help Hub

Join the Community