cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11153
Views
25
Helpful
21
Replies

exclude/whiteliste certain powershell commands

thomas.methlie
Level 1
Level 1

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case. 

 

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

 

Regards,

Thomas

1 Accepted Solution

Accepted Solutions

Troja007
Cisco Employee
Cisco Employee

Opened a Feature Request for you.

Greetings,

Thorsten

View solution in original post

21 Replies 21

balaji.bandi
Hall of Fame
Hall of Fame

Are you looking to exclude this AMP for end point, here is the exclustiondocument to exclude certain extension as per the requirement,ent.

 

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thanks but that guide doesn´t provide any info on my problem. To be more precise, I don´t want to exclude powershell process or ps script files on a general basis

Troja007
Cisco Employee
Cisco Employee

Hello Thomas,

sorry to say, but, as explained in the documentation this is the way we can handle exclusions today. The best way is to report this missing feature to your Cisco Representative to open a Feature Request for this.

 

Just to be sure: You are getting a lot of IOCs?

 

Greetings,

Thorsten

Hi,

yeah this is one of our largest sources of false positive alerts and spend quite some time cleaning up the dashboard. Could of course mute the events, but I don´t feel comfortable muting too much stuff.

 

Thanks for opening a Feature Request.

 

Regards,

Thomas

So,

what would help? Defining an exclusion with several parameters? 

Including:

  1. Path of the Process, Process name
  2. Hash and Signer
  3. Source where the file is downloaded from

Looks easy, but is much more development effort. The questions is, where to enforce.

  • Endpoint: We have to define how big the time window is the endpoint can monitor AND what the performance/resource impact on the endpoint is.
  • Backend: Changing the whole logic. This must be done for every customer, because exclusions will be different.
    • We also need some kind of "plausibility check" to avoid impacts in the backend based on wrong defined exclusions.

But finally, something which should be included in the product.

Cheers,

Thorsten

Yes, the three parameters you mention is what I was initially thinking of.

If there is a need to assist in testing this, I would be happy to help.

 

Regards,

Thomas

Hello @thomas.methlie,

the only way today is, getting in contact with your Cisco Representative to open a Feature Request.

Greetings,

Thorsten

Troja007
Cisco Employee
Cisco Employee

Opened a Feature Request for you.

Greetings,

Thorsten

We're waiting with bated breath for this feature to come out as we have the same problem. We use powershell to deploy all our stuff and it triggers Cisco AMP on a weekly basis with false positives. It's causing alert fatigue for our analysts but we don't want to exclude ALL powershell.exe as some of them might in fact be malicious. Please please please give us this new feature that allows exclusions on specific powershell scripts. 

Thanks!

rolszowy
Cisco Employee
Cisco Employee
There is one option at the moment to exclude particular IOC by the TAC case.

Radek

Can you elaborate? Where/how can we exclude by IOC?

What is the feature request number?  Roadmap timing for this?

Hello,

this Feature Request is an internal one, and not public viewable. You may get in touch with your Cisco representative to get more insights into upcoming features in the product.

As the roadmap can always get updated, we do not publish this information in the community.

Greetings,

Thorsten

I saw the feature request was going in in 2019,  any update on it?