M365, Exchange Online Remote Powershell blocked by T1056 Mitre Trellix

by butsch 4. April 2023 03:00

Trellix ENS 10.X, T1056 - Key capture using Powershell detected, Host intrusion buffer overflow

ExP:Illegal API Use Blocked an attempt to exploit

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.

 

Hello,

If you want to manage M365, Exchange Online there are several ways. You can use the PS button within the Admin Portal but then you need an Azure licence for a seperate account you made for IT.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.

Most Antivirus Solution who do more than other and who reflect MITRE rules capture the Connection as phising attack for credentials as defined in MITRE T1056, Keylogger. Yo you will have to exclude the machines where IT people use Remote shell and ASK for credentials with the POPUP GUI (Not passing the password in the cli command)

 

https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Install-Module -Name ExchangeOnlineManagement –Force

Connect-ExchangeOnline

 

You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.

Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

 

Choose the POLICY you have for your Clients you want to change the single false

Again best would be NOT to exclude that MITRE for all enduser just for the IT machines.

Since Mcafee/Trellix ENS you can do POLICIES for all (Great range) and than add. to that more

fine granular policies for some machines or targets (Like we know from Windows gpo with WMI filter)

T1056

Threat Target Process Name:    POWERSHELL.EXE

Threat Target File Path:    C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE

Event Category:    Host intrusion buffer overflow

Event ID:    18054

Threat Severity:    Critical

Threat Name:    ExP:Illegal API Use

Threat Type:    Exploit Prevention

Action Taken:    Blocked

Threat Handled:    True

Analyzer Detection Method:    Exploit Prevention

Location:    

Module Name:    Threat Prevention

Analyzer Technology Version:    

Analyzer Content Creation Date:    3/6/23 10:06:04 PM CET

Analyzer Content Version:    10.6.0.12731

AMCore Content Version:    

Analyzer Rule ID:    6183

Analyzer Rule Name:    T1056 - Key capture using Powershell detected

 

If you want to disable the 6183 Analyzer rule complete you could do here in your POLICY.

To see you have to choose "OTHERS". By default maybe this rule is not ON in your mcafee/Trellix enviroment. (Out of the box)

 

After the change the Connection should work:

 

Tags:

Exchange 2013 | Exchange 2016 | Exchange 2019 | M365/AZURE | SECURITY | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: