cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11274
Views
25
Helpful
21
Replies

exclude/whiteliste certain powershell commands

thomas.methlie
Level 1
Level 1

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case. 

 

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

 

Regards,

Thomas

21 Replies 21

They know its an issue, it was talked about at a CAB/Forum I was at recently. I feel like its "coming soon", but honestly can't remember if there was a date or version mentioned...

But they know it creates false positives and know that's an issue.

Ken

Hi,

is there any new information on this feature request? 
Has this already been implemented?

Thanks for response

MichaelErana
Level 1
Level 1

Ping on this topic. I'm also looking for a way to use command parameter content to form an exclusion. In my case the offending command is:

C:\WINDOWS\system32\cmd.exe /d /c C:\Program Files (x86)\ThousandEyes\Endpoint Agent\te-chromehelper.exe chrome-extension://obdencanbejmhpbikpcgkdflkffifoof/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.43b0764b69528ed5 > \\.\pipe\LOCAL\edge.nativeMessaging.out.43b0764b69528ed5

I'd love to be able to wildcard and use the "ThousandEyes" portion of the command parameter for the exclusion.

 

Hello @MichaelErana ,
feature is under development. You may ping your Cisco representative for more details. We do not share Roadmap information here in the community. 
Thanks and Greetings,
Thorsten

sdawson14
Level 1
Level 1

Hey, we don't have a cisco rep but this feature request has been open since 2019, any news on when it's actually going to be released? I can make these exclusions in every other product apart from AMP and it's causing a lot of noise. Does it really take almost 4 years to develop this feature? 

mcolford
Level 1
Level 1

Any update on this feature? Experiencing the same problem.

From what I can tell, you can create an exclusion for the suspect behaviour, e.g.:

dstaudt_0-1719506558141.png

However, I don't see a way to qualify that further by specific command line parameters given to the process.
Some thoughts:
* Would it be enough to create an exclusion for the specific admin user/group?  I.e. powershell+dstaudt is excluded?
* Perhaps automation could be written to use the AMP APIs to apply a generic exclusion (e.g. the IOC exclusion pictured above), then remove it once the admin's work is done?
* Find some way to localize the needed functionality into a specific executable that only the designated admin/group can run, maybe copy powershell executable to a new file in a different path that can be excluded?  Create an executable - in Python/C#/compiled PS - that does only the thing needed, and exclude that?