03-14-2025 02:22 AM
Hi Cortex XDR Community,
I want to set up an alert in Cortex XDR that triggers whenever any user runs a PowerShell script. The alert should activate for any script or command executed in PowerShell, regardless of the user or specific script.
Is there an existing rule or method to create such an alert for PowerShell usage? Any suggestions or examples would be appreciated.
Thanks in advance!
03-14-2025 05:06 AM
Hi think we can use BTP.
I need something link that, because today many malicious groups are using ""powershell -exec bypass -enc <base64 encrypted command string>
"" for bypass security, and i dont know if Cortex XDR block that or alert the executions.
03-14-2025 05:13 AM
i try run a simple script with base64 (not malicious) and XDR detect:
'PowerShell runs suspicious base64-encoded commands' along with 1 other alert generated by XDR Analytics BIOC detected on host lsXXXX involving user hXXXXX
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
