Trellix ENS 10.X, T1056 - Key capture using Powershell detected, Host intrusion buffer overflow
ExP:Illegal API Use Blocked an attempt to exploit
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.
Hello,
If you want to manage M365, Exchange Online there are several ways. You can use the PS button within the Admin Portal but then you need an Azure licence for a seperate account you made for IT.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.
Most Antivirus Solution who do more than other and who reflect MITRE rules capture the Connection as phising attack for credentials as defined in MITRE T1056, Keylogger. Yo you will have to exclude the machines where IT people use Remote shell and ASK for credentials with the POPUP GUI (Not passing the password in the cli command)
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
Install-Module -Name ExchangeOnlineManagement –Force
Connect-ExchangeOnline





You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.


Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

Choose the POLICY you have for your Clients you want to change the single false

Again best would be NOT to exclude that MITRE for all enduser just for the IT machines.
Since Mcafee/Trellix ENS you can do POLICIES for all (Great range) and than add. to that more
fine granular policies for some machines or targets (Like we know from Windows gpo with WMI filter)
T1056
|
Threat Target Process Name: POWERSHELL.EXE
Threat Target File Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Event Category: Host intrusion buffer overflow
Event ID: 18054
Threat Severity: Critical
Threat Name: ExP:Illegal API Use
Threat Type: Exploit Prevention
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Exploit Prevention
Location:
Module Name: Threat Prevention
Analyzer Technology Version:
Analyzer Content Creation Date: 3/6/23 10:06:04 PM CET
Analyzer Content Version: 10.6.0.12731
AMCore Content Version:
Analyzer Rule ID: 6183
Analyzer Rule Name: T1056 - Key capture using Powershell detected
|
If you want to disable the 6183 Analyzer rule complete you could do here in your POLICY.
To see you have to choose "OTHERS". By default maybe this rule is not ON in your mcafee/Trellix enviroment. (Out of the box)

After the change the Connection should work:
