Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Azure ENS | Endpoint Security EPO | ePolicy Orchestrator Exchange 2013 Exchange 2016 Exchange 2019 M365 - Exchange Online M365,AZURE,INTUNE Mcafee/Trellix Microsoft Exchange SECURITY   Click on the Category button to get more articles regarding that product.

M365, Exchange Online Remote Powershell blocked by T1056 Mitre Trellix

Posted by admin on 04.04.2023

Trellix ENS 10.X, T1056 – Key capture using PowerShell detected, Host intrusion buffer overflow

ExP:Illegal API Use Blocked an attempt to exploit

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.

For efficient M365 and Exchange Online management, there are various methods available. While utilizing the PowerShell button within the Admin Portal is one option, it requires an Azure license for a separate IT account. Additionally, we explored the use of Remote Shell on various servers and working clients, uncovering some key insights.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.

Most antivirus solutions, especially those adhering to MITRE rules, categorize the connection made through Remote Shell as a phishing attack for credentials (MITRE T1056 – Keylogger). It’s crucial to note that exclusions should be applied judiciously. We recommend excluding the T1056 rule only on machines where Exchange Admins will be actively working.

https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Install-Module -Name ExchangeOnlineManagement –Force

Connect-ExchangeOnline

You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.

Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

Choose the POLICY applicable to the clients you wish to modify.

It’s imperative to exercise caution and refrain from excluding the MITRE rule for all end users, reserving this action for IT machines. Trellix ENS allows for comprehensive policies that cover a wide range, with the flexibility to add more fine-grained policies for specific machines or targets.

For your reference, the details of the detected threat are as follows:

T1056

  • Threat Target Process Name: POWERSHELL.EXE
  • Threat Target File Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
  • Event Category: Host intrusion buffer overflow
  • Event ID: 18054
  • Threat Severity: Critical
  • Threat Name: ExP:Illegal API Use
  • Threat Type: Exploit Prevention
  • Action Taken: Blocked
  • Threat Handled: True
  • Analyzer Detection Method: Exploit Prevention
  • Module Name: Threat Prevention
  • Analyzer Rule ID: 6183
  • Analyzer Rule Name: T1056 – Key capture using PowerShell detected

Should you choose to disable the 6183 Analyzer rule in its entirety, navigate to your POLICY settings under “OTHERS.” Please note that this rule may not be enabled by default in your McAfee/Trellix environment.

After the change the Connection should work:


 Category published:  Azure ENS | Endpoint Security EPO | ePolicy Orchestrator Exchange 2013 Exchange 2016 Exchange 2019 M365 - Exchange Online M365,AZURE,INTUNE Mcafee/Trellix Microsoft Exchange SECURITY   Click on the Category button to get more articles regarding that product.

Related Post

Outlook.exe, delay in receive and sending E-Mail in cached mode how to solve with GPO

M365, Intunes Company Portal 0x87D1041C when UWP assigned to user AND device

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

Template theme: Newsup by Themeansar (External Link, you will leave www.butsch.ch).