Alert for Any PowerShell Script Execution in Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alert for Any PowerShell Script Execution in Cortex XDR

L0 Member

Hi Cortex XDR Community,

I want to set up an alert in Cortex XDR that triggers whenever any user runs a PowerShell script. The alert should activate for any script or command executed in PowerShell, regardless of the user or specific script.

Is there an existing rule or method to create such an alert for PowerShell usage? Any suggestions or examples would be appreciated.

Thanks in advance!

2 REPLIES 2

L4 Transporter

Hi think we can use BTP.

I need something link that, because today many malicious groups are using ""powershell -exec bypass -enc <base64 encrypted command string>

 

"" for bypass security, and i dont know if Cortex XDR   block that or alert the executions.

 

If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques

L4 Transporter

i try run a simple script with base64 (not malicious) and XDR detect:

'PowerShell runs suspicious base64-encoded commands' along with 1 other alert generated by XDR Analytics BIOC detected on host lsXXXX involving user hXXXXX


If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques
  • 92 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!