cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATP Rules 322 and 324 and Powershell

Jump to solution

Recently I had an ATP alert on two critical servers. ATP Rules 322 and 324 were triggered – Action Taken: Would Block (since ATP was in Observe Mode.)

In both cases, a Powershell script was run and the AdaptiveThreatProtection_Activity.log reported that malicious activity occurred associated with JTI/Suspect.131394!

JTI/Suspect is largely referred to as a False Positive detection.

I need to understand why this detection occurred? If ATP had been in Enable Mode, the PowerShell scripts would have not been allowed to run

I disabled ATP Rules 322 and 324 globally which is something that I did not want to do.

AMSI is set to Observe Mode for these particular servers. I heard that enabling AMSI under ENS 10.6.1 can be problematic and that it works much better under 10.7.

Any advice is greatly appreciated.

Thank you.

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: ATP Rules 322 and 324 and Powershell

Jump to solution

Hi @Glenn_Bolton 

Many thanks for posting on the Community.

AMSI and ATP JTI Rules are separate features of the product so please don't confuse them or link them. If you check the following KB it gives you a description of the rule which may help you understand why a rule was triggered: https://kc.mcafee.com/corporate/index?page=content&id=KB82925

322 - Mitre-T1170: Prevent mshta from being launched by any process for Security rule group assignments only.

324 - Mitre-T1170: Prevent mshta from launching suspicious process.

 

If you need more info on why the rule was triggered, we would need you to enable debug logging for ENS, reproduce the issue whilst collecting Procmon and AMTRACE (see KB86691 for instructions) and collect an MER. We would need to validate what is going on to see if it's a false positive or if it was a legitimate violation of this rule.

View solution in original post

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: ATP Rules 322 and 324 and Powershell

Jump to solution

Hi @Glenn_Bolton 

Many thanks for posting on the Community.

AMSI and ATP JTI Rules are separate features of the product so please don't confuse them or link them. If you check the following KB it gives you a description of the rule which may help you understand why a rule was triggered: https://kc.mcafee.com/corporate/index?page=content&id=KB82925

322 - Mitre-T1170: Prevent mshta from being launched by any process for Security rule group assignments only.

324 - Mitre-T1170: Prevent mshta from launching suspicious process.

 

If you need more info on why the rule was triggered, we would need you to enable debug logging for ENS, reproduce the issue whilst collecting Procmon and AMTRACE (see KB86691 for instructions) and collect an MER. We would need to validate what is going on to see if it's a false positive or if it was a legitimate violation of this rule.

Re: ATP Rules 322 and 324 and Powershell

Jump to solution

Thank you again,

I was not able to duplicate the issue on this particular server (for reasons outside of my control.)

If this  occurs again, I will take that approach.

I placed a call with tech support and they suggested that I disable rule 322 and 324.   I did this temporarily, but I prefer not to do this for the long haul. I may need to keep ATP in Observe mode slightly longer. 

I also need to get a better idea of what is behind the "JTI false positives and I will review KB86691 and KB82925

Thank you again.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community