Solved: Re: exclude/whiteliste certain powershell commands - Page 2

thomas.methlie · ‎10-11-2019

Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))

This being an obvious red flag triggers AMP, but gives a lot of false positives in this case.

Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??

Regards,

Thomas

Ken Stieers · ‎10-18-2022

They know its an issue, it was talked about at a CAB/Forum I was at recently. I feel like its "coming soon", but honestly can't remember if there was a date or version mentioned...

But they know it creates false positives and know that's an issue.

Ken

SebastianF · ‎03-17-2022

Hi,

is there any new information on this feature request?
Has this already been implemented?

Thanks for response

MichaelErana · ‎10-12-2022

Ping on this topic. I'm also looking for a way to use command parameter content to form an exclusion. In my case the offending command is:

C:\WINDOWS\system32\cmd.exe /d /c C:\Program Files (x86)\ThousandEyes\Endpoint Agent\te-chromehelper.exe chrome-extension://obdencanbejmhpbikpcgkdflkffifoof/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.43b0764b69528ed5 > \\.\pipe\LOCAL\edge.nativeMessaging.out.43b0764b69528ed5

I'd love to be able to wildcard and use the "ThousandEyes" portion of the command parameter for the exclusion.

Troja007 · ‎10-12-2022

Hello @MichaelErana ,
feature is under development. You may ping your Cisco representative for more details. We do not share Roadmap information here in the community.
Thanks and Greetings,
Thorsten

sdawson14 · ‎09-27-2023

Hey, we don't have a cisco rep but this feature request has been open since 2019, any news on when it's actually going to be released? I can make these exclusions in every other product apart from AMP and it's causing a lot of noise. Does it really take almost 4 years to develop this feature?

mcolford · ‎06-27-2024

Any update on this feature? Experiencing the same problem.

dstaudt · ‎06-27-2024

From what I can tell, you can create an exclusion for the suspect behaviour, e.g.:

However, I don't see a way to qualify that further by specific command line parameters given to the process.
Some thoughts:
* Would it be enough to create an exclusion for the specific admin user/group? I.e. powershell+dstaudt is excluded?
* Perhaps automation could be written to use the AMP APIs to apply a generic exclusion (e.g. the IOC exclusion pictured above), then remove it once the admin's work is done?
* Find some way to localize the needed functionality into a specific executable that only the designated admin/group can run, maybe copy powershell executable to a new file in a different path that can be excluded? Create an executable - in Python/C#/compiled PS - that does only the thing needed, and exclude that?