https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/578924#M6222 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170886">@Vadim_Lisserman</a>&nbsp;</P> <P>&nbsp;</P> <P>This has more to do with what was your action process vs what was the actor process, in the case where PowerShell is doing the click action/ acting it is called the actor process , and when PowerShell is being spawned by another process that calls PowerShell it is called the action process, and hence, the detection is dependent on the action process in this case, while not all detection have he same criteria but this is in your use case.<BR /><BR />You can create custom detection as well, by utilizing the correlation rule, and in order for you to find the inspected script executed by PowerShell, you can utilize the AMSI scan buffer, that sits between the scripting engine, in our case PowerShell, and the XDR.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zarnous_0-1709245598288.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57985i8EF679A248B3CF7E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zarnous_0-1709245598288.png" alt="zarnous_0-1709245598288.png" /></span></P> <P>&nbsp;</P> <P><BR />I have also went over this and how to look at the AMSI scan buffer content&nbsp; in a different post that you may check here -&nbsp;<A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xqls-for-powershell-script-logging/td-p/542059" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xqls-for-powershell-script-logging/td-p/542059</A>&nbsp;<BR /><BR />Hope that was helpful, and if it answers your question please feel free to mark this as a solution so others can benefit from.<BR /><BR />Thanks&nbsp;<BR />Z</P> Thu, 29 Feb 2024 22:28:21 GMT zarnous 2024-02-29T22:28:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577275#M6065 <P>I'm doing some Powershell detection testing and I noticed that when I open the Powershell GUI in windows and run a command below it doesn't trigger a Powershell detection.&nbsp; However, when I add powershell in front of the command it does trigger an event. I'm pretty sure this always wasn't the case.&nbsp; Curios to see if this is expected behavior or something is broken with XDR.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Start-BitsTransfer -Priority foreground -Source <A href="https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md" target="_blank">https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md</A> -Destination c:\source\flag.ps1</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 14 Feb 2024 21:22:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577275#M6065 Vadim_Lisserman 2024-02-14T21:22:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577288#M6066 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170886">@Vadim_Lisserman</a>&nbsp;</P> <P>Do you have XDR pro license, and if you have it, its enable in the agents?</P> Thu, 15 Feb 2024 01:47:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577288#M6066 Alejandro_Hernandez 2024-02-15T01:47:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577337#M6071 <P>Yes, and yes.&nbsp; Have you tried this in your environment are you seeing different results?</P> Thu, 15 Feb 2024 13:48:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/577337#M6071 Vadim_Lisserman 2024-02-15T13:48:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/578924#M6222 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170886">@Vadim_Lisserman</a>&nbsp;</P> <P>&nbsp;</P> <P>This has more to do with what was your action process vs what was the actor process, in the case where PowerShell is doing the click action/ acting it is called the actor process , and when PowerShell is being spawned by another process that calls PowerShell it is called the action process, and hence, the detection is dependent on the action process in this case, while not all detection have he same criteria but this is in your use case.<BR /><BR />You can create custom detection as well, by utilizing the correlation rule, and in order for you to find the inspected script executed by PowerShell, you can utilize the AMSI scan buffer, that sits between the scripting engine, in our case PowerShell, and the XDR.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zarnous_0-1709245598288.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57985i8EF679A248B3CF7E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zarnous_0-1709245598288.png" alt="zarnous_0-1709245598288.png" /></span></P> <P>&nbsp;</P> <P><BR />I have also went over this and how to look at the AMSI scan buffer content&nbsp; in a different post that you may check here -&nbsp;<A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xqls-for-powershell-script-logging/td-p/542059" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xqls-for-powershell-script-logging/td-p/542059</A>&nbsp;<BR /><BR />Hope that was helpful, and if it answers your question please feel free to mark this as a solution so others can benefit from.<BR /><BR />Thanks&nbsp;<BR />Z</P> Thu, 29 Feb 2024 22:28:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-missing-powershell-logging/m-p/578924#M6222 zarnous 2024-02-29T22:28:21Z