topic Re: exclude/whiteliste certain powershell commands in Endpoint Security

exclude/whiteliste certain powershell commands

thomas.methlie — Fri, 21 Feb 2020 05:11:01 GMT

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case.

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

Regards,

Thomas

Re: exclude/whiteliste certain powershell commands

balaji.bandi — Fri, 11 Oct 2019 10:10:41 GMT

Are you looking to exclude this AMP for end point, here is the exclustiondocument to exclude certain extension as per the requirement,ent.

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

Re: exclude/whiteliste certain powershell commands

thomas.methlie — Fri, 11 Oct 2019 11:42:30 GMT

thanks but that guide doesn´t provide any info on my problem. To be more precise, I don´t want to exclude powershell process or ps script files on a general basis

Re: exclude/whiteliste certain powershell commands

Troja007 — Wed, 16 Oct 2019 11:43:13 GMT

Hello Thomas,

sorry to say, but, as explained in the documentation this is the way we can handle exclusions today. The best way is to report this missing feature to your Cisco Representative to open a Feature Request for this.

Just to be sure: You are getting a lot of IOCs?

Greetings,

Thorsten

Re: exclude/whiteliste certain powershell commands

Troja007 — Wed, 16 Oct 2019 11:47:41 GMT

Opened a Feature Request for you.

Greetings,

Thorsten

Re: exclude/whiteliste certain powershell commands

thomas.methlie — Wed, 16 Oct 2019 13:32:25 GMT

Hi,

yeah this is one of our largest sources of false positive alerts and spend quite some time cleaning up the dashboard. Could of course mute the events, but I don´t feel comfortable muting too much stuff.

Thanks for opening a Feature Request.

Regards,

Thomas

Re: exclude/whiteliste certain powershell commands

Troja007 — Thu, 17 Oct 2019 11:54:59 GMT

So,

what would help? Defining an exclusion with several parameters?

Including:

Path of the Process, Process name
Hash and Signer
Source where the file is downloaded from

Looks easy, but is much more development effort. The questions is, where to enforce.

Endpoint: We have to define how big the time window is the endpoint can monitor AND what the performance/resource impact on the endpoint is.
Backend: Changing the whole logic. This must be done for every customer, because exclusions will be different.
- We also need some kind of "plausibility check" to avoid impacts in the backend based on wrong defined exclusions.

But finally, something which should be included in the product.

Cheers,

Thorsten

Re: exclude/whiteliste certain powershell commands

thomas.methlie — Tue, 22 Oct 2019 07:36:24 GMT

Yes, the three parameters you mention is what I was initially thinking of.

If there is a need to assist in testing this, I would be happy to help.

Regards,

Thomas

Re: exclude/whiteliste certain powershell commands

Troja007 — Wed, 23 Oct 2019 09:45:05 GMT

Hello @thomas.methlie,

the only way today is, getting in contact with your Cisco Representative to open a Feature Request.

Greetings,

Thorsten

Re: exclude/whiteliste certain powershell commands

POAL — Thu, 14 Nov 2019 20:43:35 GMT

We're waiting with bated breath for this feature to come out as we have the same problem. We use powershell to deploy all our stuff and it triggers Cisco AMP on a weekly basis with false positives. It's causing alert fatigue for our analysts but we don't want to exclude ALL powershell.exe as some of them might in fact be malicious. Please please please give us this new feature that allows exclusions on specific powershell scripts.

Thanks!

Re: exclude/whiteliste certain powershell commands

rolszowy — Thu, 14 Nov 2019 21:28:18 GMT

There is one option at the moment to exclude particular IOC by the TAC case.

Radek

Re: exclude/whiteliste certain powershell commands

Shinku — Tue, 15 Dec 2020 18:41:16 GMT

Can you elaborate? Where/how can we exclude by IOC?

Re: exclude/whiteliste certain powershell commands

gmcclintick1 — Mon, 05 Apr 2021 17:39:13 GMT

What is the feature request number? Roadmap timing for this?

Re: exclude/whiteliste certain powershell commands

Troja007 — Tue, 06 Apr 2021 09:22:11 GMT

Hello,

this Feature Request is an internal one, and not public viewable. You may get in touch with your Cisco representative to get more insights into upcoming features in the product.

As the roadmap can always get updated, we do not publish this information in the community.

Greetings,

Thorsten

Re: exclude/whiteliste certain powershell commands

SebastianF — Thu, 17 Mar 2022 12:49:00 GMT

Hi,

is there any new information on this feature request?
Has this already been implemented?

Thanks for response

Re: exclude/whiteliste certain powershell commands

MichaelErana — Wed, 12 Oct 2022 12:08:04 GMT

Ping on this topic. I'm also looking for a way to use command parameter content to form an exclusion. In my case the offending command is:

C:\WINDOWS\system32\cmd.exe /d /c C:\Program Files (x86)\ThousandEyes\Endpoint Agent\te-chromehelper.exe chrome-extension://obdencanbejmhpbikpcgkdflkffifoof/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.43b0764b69528ed5 > \\.\pipe\LOCAL\edge.nativeMessaging.out.43b0764b69528ed5

I'd love to be able to wildcard and use the "ThousandEyes" portion of the command parameter for the exclusion.

Re: exclude/whiteliste certain powershell commands

Troja007 — Wed, 12 Oct 2022 12:30:18 GMT

Hello @MichaelErana ,
feature is under development. You may ping your Cisco representative for more details. We do not share Roadmap information here in the community.
Thanks and Greetings,
Thorsten

Re: exclude/whiteliste certain powershell commands

Davedog — Tue, 18 Oct 2022 12:52:12 GMT

I saw the feature request was going in in 2019, any update on it?

Re: exclude/whiteliste certain powershell commands

Ken Stieers — Tue, 18 Oct 2022 13:25:38 GMT

They know its an issue, it was talked about at a CAB/Forum I was at recently. I feel like its "coming soon", but honestly can't remember if there was a date or version mentioned...

But they know it creates false positives and know that's an issue.

Ken

Re: exclude/whiteliste certain powershell commands

sdawson14 — Wed, 27 Sep 2023 09:55:12 GMT

Hey, we don't have a cisco rep but this feature request has been open since 2019, any news on when it's actually going to be released? I can make these exclusions in every other product apart from AMP and it's causing a lot of noise. Does it really take almost 4 years to develop this feature?