We would like to use Exploit Prevention for Powershell attacks. Exploit Preventions offers multiple signatures which can be used to monitor or block the usage of powershell (e.g. 6070 - Hidden Powershell Detected or 6073 Execution Policy Bypass in PowerShell)
We've enabled Exploit Prevention and put the signatures 6070 and 6073 in report mode. After a while we analyzed the events. Unfortunaltey there were many false alarms and now we would like to know if we can define exlusions for specific use cases:
1. Exploit Prevention must not block "start.ps1":
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File C:\scripts\windows\Start.ps1
2. Exploit Prevention must not block the following command for AppV:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer 1 -Glo