topic Re: Blocking PowerShell While Allowing Certain Powershell Scripts in Cortex XDR Discussions

Blocking PowerShell While Allowing Certain Powershell Scripts

A.ABDULLAH893848 — Tue, 04 Feb 2025 12:51:10 GMT

Hi, good day!

I need some help with configuring PowerShell restrictions in Cortex XDR.

I'm currently facing an issue where Cortex XDR has detected a PowerShell script executed from a user endpoint. After investigation, we confirmed that this script is part of a legitimate IT department operation.

Our goal is to allow specific, authorized PowerShell script activity while blocking all other unauthorized or unknown scripts. Based on the documentation, it appears that we need to create a Legacy Agent Exception to permit the approved scripts.

However, we would like to explore if there are more effective or granular methods to achieve this. Are there alternative approaches, such as policy configurations or allowlisting mechanisms, that would provide better control over PowerShell script execution?

Could anyone guide me through the process of implementing the best approach to achieve this?

I really appreciate any insights or recommendations on best practices.

Thanks in advance for your help!

Re: Blocking PowerShell While Allowing Certain Powershell Scripts

jmazzeo — Fri, 07 Feb 2025 13:14:18 GMT

Hi @A.ABDULLAH893848, thanks for reaching us using the Live Community.

How often are these IT scripts modified?

You could use the Action Center's Allow List to add the scripts hashes and maintain the list when there is a modification.

The path exception is not usually recommended, but maybe you can create a filename exception by adding to all the scripts files a naming convention like "IT-Script-Something_Description", and you can use a wildcard for that standard name that is unique and only belongs to your environment.

You can find here a nice webinar about Alert Handling and how to create the right exceptions for different use cases.

If this post answers your question, please mark it as the solution.

Re: Blocking PowerShell While Allowing Certain Powershell Scripts

A.ABDULLAH893848 — Mon, 17 Feb 2025 13:01:43 GMT

Dear @jmazzeo,

The IT scripts are modified quite frequently as part of our regular updates and automation improvements. Using the Action Center's Allow List seems like a great solution to ensure that the latest script versions are always accounted for. I’ll explore this option further.

I understand the path exception isn't recommended, but I appreciate your suggestion regarding a unique naming convention. Implementing a pattern like IT-Script-* with a wildcard could definitely simplify exception handling for our environment.

Also, thanks for sharing the link to the webinar on Alert Handling—I'll be sure to check it out!

Thanks again for your help!

Re: Blocking PowerShell While Allowing Certain Powershell Scripts

DJuanpere — Tue, 11 Nov 2025 10:34:24 GMT

Hi,

I am trying to do the same, but although I add the hash of my powershell script to the allow list, Cortex keeps on blocking its execution.

When I check the alert created, it is showing as malicious the hash value of powershell.exe, not the one of the script itself. Obviously, I can't make an exception for powershell.exe as any malicious script based on it would would be able to run without restrictions.

Am I doing something wrong?