topic Adding batch and Powershell scripts to XDR blocklist in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-batch-and-powershell-scripts-to-xdr-blocklist/m-p/1225819#M8190 <P><SPAN>Considering PE, PE64 and macro enabled Word and Excel documents are allowed to be entered to blocklist, does it make any sense to add a .bat or a powershell PS1 file to the XDR blocklist&nbsp;</SPAN><A id="hoverCardLink" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" aria-describedby="hoverCardLink_0-tooltip-element" aria-controls="hoverCardLink_0-tooltip-element" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> Mon, 07 Apr 2025 08:52:31 GMT VarunPitale 2025-04-07T08:52:31Z Adding batch and Powershell scripts to XDR blocklist https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-batch-and-powershell-scripts-to-xdr-blocklist/m-p/1225819#M8190 <P><SPAN>Considering PE, PE64 and macro enabled Word and Excel documents are allowed to be entered to blocklist, does it make any sense to add a .bat or a powershell PS1 file to the XDR blocklist&nbsp;</SPAN><A id="hoverCardLink" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" aria-describedby="hoverCardLink_0-tooltip-element" aria-controls="hoverCardLink_0-tooltip-element" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> Mon, 07 Apr 2025 08:52:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-batch-and-powershell-scripts-to-xdr-blocklist/m-p/1225819#M8190 VarunPitale 2025-04-07T08:52:31Z Re: Adding batch and Powershell scripts to XDR blocklist https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-batch-and-powershell-scripts-to-xdr-blocklist/m-p/1225894#M8192 <P class="" data-start="52" data-end="441">Honestly, adding a<STRONG data-start="62" data-end="126"><CODE data-start="73" data-end="79">.bat</CODE></STRONG>or <STRONG data-start="62" data-end="126"><CODE data-start="83" data-end="89">.ps1</CODE>&nbsp;</STRONG>file to the XDR blocklist can work, but only in very specific cases. you are basically telling XDR, <EM data-start="191" data-end="255">“</EM><STRONG>Hey, if you see this exact file (by its hash), block it.</STRONG><EM data-start="191" data-end="255">”</EM> That’s cool if you’re dealing with a known, unchanging script but let’s be real, attackers don’t usually play that way. scripts change, get obfuscated, renamed, or generated on the fly.</P> <P class="" data-start="443" data-end="565">So, does it make sense? Yes.&nbsp; but only if&nbsp;you are targeting a very specific threat and you’ve got the exact hash.</P> <P class="" data-start="567" data-end="616">&nbsp;</P> <P class="" data-start="567" data-end="616">But for broader protection? Not really ideal.</P> <P class="" data-start="567" data-end="616">&nbsp;</P> <P class="" data-start="618" data-end="971">If your goal is to stop <CODE data-start="642" data-end="648">.bat</CODE> or PowerShell scripts from running altogether (especially in places they shouldn’t be), you’re better off using a Restrictions Security Profile. That lets you say, “Don’t allow any scripts from these folders,” or “Block scripts entirely.” It’s way more flexible and doesn’t rely on the file being identical every time.</P> Tue, 08 Apr 2025 05:41:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-batch-and-powershell-scripts-to-xdr-blocklist/m-p/1225894#M8192 Chamindu 2025-04-08T05:41:41Z