03-26-2025 05:30 AM
Hi everyone,
I need your help to understand whether it's possible to see which commands users are running in PowerShell—for example, Active Directory enumeration.
I know that Cortex blocks malicious scripts like dumpcreds and BloodHound, but my question is: how can I receive an alert or monitor the execution of commands like "Get-ADUser *" or "Get-ADDomainController" in XQL?
03-26-2025 07:52 AM
Hello @tlmarques ,
You can use below query as a sample and Create BIOC.
dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter event_sub_type = ENUM.PROCESS_START
| filter actor_process_image_name = "powershell.exe"
| filter actor_process_command_line contains "Get-ADUser"
or actor_process_command_line contains "Get-ADDomainController"
or actor_process_command_line contains "Get-ADComputer"
or actor_process_command_line contains "Get-ADGroup"
| fields _time, agent_hostname, actor_effective_username, actor_process_command_line
| sort desc _time
Once BIOC is created, based on the alert name you can configure the notification.
Please ensure PowerShell Logging in Windows: Ensure PowerShell Script Block Logging is enabled via Group Policy (Event ID 4104 in Windows Event Logs). This will improve visibility.
Cortex XDR Analytics: You can also leverage Behavioral Analytics for abnormal PowerShell usage patterns.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
03-26-2025 11:18 AM
@aspatil It's required enable the "powershell logging in windows"??
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
