Alert "Script Activity - 245655498"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alert "Script Activity - 245655498"

L2 Linker

Hello everyone,

 

I just received this alert "Script Activity - 245655498" with this description "Suspicious script with keywords written in a non-standard way." in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no documentation on this.

 

Alert source: XDR Agent

Initiator and CGO path are the same in one of the alerts: "C:\Program Files\PowerShell\7\pwsh.exe" -WindowStyle Minimized -file c:\folder1\script.ps1

 

Thank you for your help 🙂

1 REPLY 1

L4 Transporter

Hello @Arman_Zaheri 

 

Thanks for reaching out on live community!

This alert is due to the use of suspicious keywords/parameters in the script which may inline with malicious behaviour. Please investigate the causality chain and the involved command line. If script is benign and executed by your employees for legitimate purpose then you may need to create exception for it. To create exception, identify the module which triggered the alert from alert table. Then based on either script location or command line you can create exception for the module and apply to particular profile which was applied to developer machines.

Please open a support case if you need more help with alert investigation/exception.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

  • 535 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!