cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Daniel_S
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3

Exploit Prevention exclusion for command line arguments

Hello together,

I am facing a problem with Exploit Prevention Exclusions not being agile enough for our customers needs.

We are currently trying to harden all ENS policies and are just in observe mode for the powershell rules.

There is a tool that is running a batchfile which amongst others issues:

powershell.exe -executionpolicy unrestricted -command "&{Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage}".

The "unrestricted" rule applies correctly, however I would like to exclude if the commandline string is like Remove-Appx... and this can´t be done in the exclusions.

My next thought on this is:

Disable the default McAfee rule and create an expert rule. This however is can not be accomplished in a timely manner as we are not able to duplicate the defaults and add our own code to it. As it is not only the detection of the string "unregeistered" but all it´s abreviations, I am lost at that point.

Any other ideas here?

Best regards
Dan
2 Replies
Kenchee_etf
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Exploit Prevention exclusion for command line arguments

Hello @Daniel_S 

Few weeks ago I had similar question and I posted my answer here with some examples how this can be done:

*** Problem with exclusion for endpoint threat prevention->Exploit prevention
https://community.mcafee.com/t5/Endpoint-Security-ENS/Problem-with-exclusion-for-endpoint-threat-pre...

Unfortunately, as you may see, there is no workaround for exclusion implementation other than creating expert rules, however, those expert rules and exclusions should be relatively simple, at least for "PowerShell Command parameters".

I hope this helps.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Daniel_S
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Exploit Prevention exclusion for command line arguments

Hey mate, thanks for your reply.

I already read your post.

However I don´t think the rules to build are that simple.

Sure you can include "-EncodedCommand", but that´s not the way an attacker will build his script. As already stated it can come down to only "-e" for enconded command, and that´s exactly where the McAfee blackbox comes into play. You don´t see what´s in there, but believe me I made a lot of tests, and there where a lot of combinations that got caught by the default rule.

So either one gets insight to the default rules or you´re lost here. I will never just implement a policy with "-EncodedCommand" without all abreviations.

Some good reads related to obfuscated powershell attacks can be found here:

https://adsecurity.org/?p=2604

https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf

Best regards
Dan
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community