M365, Exchange Online Remote Powershell blocked by T1056 Mitre Trellix

Trellix ENS 10.X, T1056 - Key capture using Powershell detected, Host intrusion buffer overflow

ExP:Illegal API Use Blocked an attempt to exploit

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.

Hello,

If you want to manage M365, Exchange Online there are several ways. You can use the PS button within the Admin Portal but then you need an Azure licence for a seperate account you made for IT.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.

Most Antivirus Solution who do more than other and who reflect MITRE rules capture the Connection as phising attack for credentials as defined in MITRE T1056, Keylogger. Yo you will have to exclude the machines where IT people use Remote shell and ASK for credentials with the POPUP GUI (Not passing the password in the cli command)

https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Install-Module -Name ExchangeOnlineManagement –Force

Connect-ExchangeOnline

You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.

Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

Choose the POLICY you have for your Clients you want to change the single false

Again best would be NOT to exclude that MITRE for all enduser just for the IT machines.

Since Mcafee/Trellix ENS you can do POLICIES for all (Great range) and than add. to that more

fine granular policies for some machines or targets (Like we know from Windows gpo with WMI filter)

If you want to disable the 6183 Analyzer rule complete you could do here in your POLICY.

To see you have to choose "OTHERS". By default maybe this rule is not ON in your mcafee/Trellix enviroment. (Out of the box)

After the change the Connection should work: