04-21-2022 04:13 PM
We know that Cortex has the ability to use AMSI but is any one able to achieve a BIOC rule which can trigger an alert for the content inside the script.
Lets say if a Powershell script which is being run has certain parameters in the body such as "replace","Download","Invoke-WebRequest" etc...
Is it possible to create a BIOC rule for the content inside in the script?
Thanks in Advance.
06-10-2022 02:01 PM
Hi KanwarSingh01,
The Cortex XDR Agent features Behavioral Threat Protection modules leveraging the Anti-Malware Scan Interface (AMSI) to block PowerShell scripts.
To create a BIOC rule, please check out Live Community How-to video Script Block Query and BIOC | Palo Alto Networks
Thanks
06-10-2022 02:01 PM
Hi KanwarSingh01,
The Cortex XDR Agent features Behavioral Threat Protection modules leveraging the Anti-Malware Scan Interface (AMSI) to block PowerShell scripts.
To create a BIOC rule, please check out Live Community How-to video Script Block Query and BIOC | Palo Alto Networks
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
