Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
1
Helpful
2
Replies

Safelist Command Obfuscation With Symbols in Secure Endpoint

TomML
Level 1
Level 1

‎08-07-2023 11:06 AM

Is there a way to safelist or create an exclusion for this benign powershell command without safelisting cmd.exe or powerhell.exe - just the actual Command parameter?  These events are classified as "Command Obfuscation With Symbols" compromises and there are several hundreds.

powershell  -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command "& {$v = (Get-CimInstance win32_OperatingSystem).Version.split('.'); $ver2012 = [int]$v[0] -gt 6 -or [int]$v[1] -gt 1; function replace_unallowed($s) {$s.replace('(', '[').replace(')', ']').replace('#', '_').replace('\', '_').replace('/', '_').toLower()} if($ver2012){ (Get-Counter '\Network Adapter(*)\*').CounterSamples | % {$_.InstanceName} | gu | % { foreach($na in (Get-CimInstance MSFT_NetAdapter -Namespace 'root/StandardCimv2')) { if($_ -eq (replace_unallowed $na.InterfaceDescription) -or $_ -like 'isatap.' + "$($na.DeviceID)") { $na.DeviceID, ':', $_, '|' }}}}}"

TomML_0-1691431477485.png

Thanks!

3 people had this problem
Labels:
2 Replies 2

hemohemoh
Level 1
Level 1

‎08-29-2023 03:25 AM

One way to create an exclusion for a specific PowerShell command without safelisting cmd.exe or powershell.exe is to use the custom detection feature in Secure Endpoint. This allows you to create a custom rule that specifies the exact command line parameters that should be allowed. Here’s how you can do it:

  1. In the Secure Endpoint console, navigate to Policies and select the policy you want to edit.
  2. Click on the Settings tab and scroll down to the Custom Detections section.
  3. Click on Add Custom Detection and select Command Line from the drop-down menu.
  4. In the Command Line field, enter the exact command line parameters that you want to allow, including any symbols or special characters.
  5. Set the Action to Allow and click on Save.

This will create a custom rule that allows the specified command line parameters to be executed without triggering a “Command Obfuscation With Symbols” compromise event.

0 Helpful

TomML
Level 1
Level 1
In response to hemohemoh

‎08-31-2023 10:34 AM

Thanks, but I'm not seeing a way to add a Command Line exception in either the Custom Detection - Advanced or Application Control - Allowed under Outbreak Control. Also, I'm not seeing Settings tab (just Advanced Settings) when I edit a Secure Endpoint policy.

TomML_0-1693503032138.png

 

0 Helpful
Customers Also Viewed These Support Documents