cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DavHio
Level 10
Report Inappropriate Content
Message 1 of 5
‎04-14-2023 01:31 AM

How to exclude certain Powershell parameters from being blocked?

Hello pros!

I need to find a way to exclude certain Powershell parameters from being blocked.

Threat event detail:
Description: System ran cohesity_windows_agent_service.exe, which accessed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. Adaptive Threat Protection blocked access because the reputation (Most Likely Malicious) is below the configured Block threshold.

Threat Target Network Protocol:
Threat Target Process Name: powershell.exe
Threat Target File Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Event Category: Reputation
Event ID: 35104
Threat Severity: Critical
Threat Name: JTI/Suspect.1179887!c031e215b8b0
Threat Type: Trojan
Action Taken: Adaptive Threat Protection Blocked
Threat Handled: True
Analyzer Detection Method: On-Execute Scan
Events received from managed systems
Event Description: Adaptive Threat Protection Block
Endpoint Security
Module Name: Adaptive Threat Protection

Rule Name: Identify suspicious command parameter execution
Rule Description: Mitre-T1059, T1490: Identifies the suspicious execution of an application through command line parameters.
Rule Detailed Description: Tactic: Execution, Impact - Technique: T1059,T1490. This rule targets suspicious invocations of command and script interpreters such as attempts to inhibit system recovery. If this rule triggers the command line should be reviewed to ensure this is expected behavior for the endpoint

Story Graph:

Event Details
Process was already running
Target Name
services.exe
Reputation Known Trusted
Reputation Score 99
PID 864:133258790453746491
Command Line Parameter
None


Target Name
cohesity_windows_agent_service.exe
Reputation Known Trusted
Reputation Score 99
PID 2816:133259317763280429
Command Line Parameter
"C:\Program Files\Cohesity\cohesity_windows_agent_service.exe"

Target Name
powershell.exe
Reputation Most Likely Malicious
Reputation Score 15
PID 8520:133259318408125846
Action Taken
Adaptive Threat Protection Blocked
MD5
c031e215b8b08c752bf362f6d4c5d3ad
Command Line Parameter
powershell -NoLogo -NonInteractive -ExecutionPolicy bypass -EncodedCommand SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABFAG4AdgA6AHMAYwByAGkAcAB0AF8AYwBvAG4AdABlAG4AdABzAA==

I cant find any good way to exclude this in TIE, OAS, ATP. Any ideas would be appriciated!

Thanks!

David

0 Kudos
Reply
4 Replies
Pravas
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎04-14-2023 01:57 AM

Re: How to exclude certain Powershell parameters from being blocked?

Hi @DavHio ,

The event is triggered by ATP rule ID 239.

I guess its being flagged because of the encoded command used with PowerShell.

You may test by excluding Source Process i.e. cohesity_windows_agent_service.exe in OAS Standard Profile.

https://docs.trellix.com/bundle/endpoint-security-10.6.0-adaptive-threat-protection-product-guide-wi...

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
DavHio
Level 10
Report Inappropriate Content
Message 3 of 5
‎04-14-2023 02:40 AM

Re: How to exclude certain Powershell parameters from being blocked?

Thanks for you reply,

Unfortunatly I already tried that and it did not work.

BR

David

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 5
‎04-14-2023 08:12 AM

Re: How to exclude certain Powershell parameters from being blocked?

The issue I think is that the content of the encoded command are highly suspect.  

It looks like parameters have been passed to an environment variable, and that variable is then called with Invoke-Expression. This has malicious written all over it as a way of obfuscating the real intent.  I'm not saying it actually is bad, it just looks really bad.  

If this isn't a reoccurring thing, I would just disable ATP briefly, let them run it, and then turn it back on, once you have verified the content of that variable. 

Dave

Reply
DavHio
Level 10
Report Inappropriate Content
Message 5 of 5
‎04-16-2023 11:57 PM

Re: How to exclude certain Powershell parameters from being blocked?

Thanks Dave for the reply!

I believe that it is what you describe. I will exclude it in the description of the Automatic Response instead.

David

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC