This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Threat Detection "TA0005 - Defense Evasion"

Our SAP server’s  backup process, that is using certutil.exe, is detected as a defense evasion threat.

In details the detection is

Detection ID:                    WIN-EVA-PRC-CERTUTIL-DECODE-1
Command Line:              certutil -decode password.b64 password.txt
File Path:                           C:\Windows\System32\certutil.exe
Parent Command Line: C:\Windows\System32\cmd.exe /c "C:\Users\p01adm\scripts\backup_db.cmd P01 tlog Y:\sapbackup > backup_tlog.log 2 >&1!"
Mitre Tactics:                    TA0005  Defense Evasion
                                           T1140   Deobfuscate/Decode Files or Information

 I've tried to exclude certutil.exe with an exclusion in the Threat Protection device policy, but it not works.

How can I disable this detection?

Thanks.



This thread was automatically locked due to age.
Parents
  • The exclusions in Threat Protection policy will not suppress EDR/XDR detections. We expect to allow customer suppression of detections in the first quarter of the new year. (As always, roadmaps are subject to change.) In the meantime, I will pass this info along to our detections team to determine whether a global suppression or change to the rule is warranted in this case.

Reply
  • The exclusions in Threat Protection policy will not suppress EDR/XDR detections. We expect to allow customer suppression of detections in the first quarter of the new year. (As always, roadmaps are subject to change.) In the meantime, I will pass this info along to our detections team to determine whether a global suppression or change to the rule is warranted in this case.

Children