The "unrestricted" rule applies correctly, however I would like to exclude if the commandline string is like Remove-Appx... and this can´t be done in the exclusions.
My next thought on this is:
Disable the default McAfee rule and create an expert rule. This however is can not be accomplished in a timely manner as we are not able to duplicate the defaults and add our own code to it. As it is not only the detection of the string "unregeistered" but all it´s abreviations, I am lost at that point.
Unfortunately, as you may see, there is no workaround for exclusion implementation other than creating expert rules, however, those expert rules and exclusions should be relatively simple, at least for "PowerShell Command parameters".
I hope this helps.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Re: Exploit Prevention exclusion for command line arguments
Hey mate, thanks for your reply.
I already read your post.
However I don´t think the rules to build are that simple.
Sure you can include "-EncodedCommand", but that´s not the way an attacker will build his script. As already stated it can come down to only "-e" for enconded command, and that´s exactly where the McAfee blackbox comes into play. You don´t see what´s in there, but believe me I made a lot of tests, and there where a lot of combinations that got caught by the default rule.
So either one gets insight to the default rules or you´re lost here. I will never just implement a policy with "-EncodedCommand" without all abreviations.
Some good reads related to obfuscated powershell attacks can be found here:
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.