This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Will the Rule Builder accept Powershell commands?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Will the Rule Builder accept Powershell commands?

Go to solution
Chris_Dietz
L2 Linker

‎05-01-2023 08:59 AM

Will the process rule builder accept Powershell commands? or only Windows command line?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
bbucao
L3 Networker

‎05-03-2023 07:20 AM - edited ‎05-03-2023 07:21 AM

Hi Chris_Dietz,

Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well. 

Thanks,
Ben

View solution in original post

4 REPLIES 4

Go to solution
bbucao
L3 Networker

‎05-03-2023 07:20 AM - edited ‎05-03-2023 07:21 AM

Hi Chris_Dietz,

Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well. 

Thanks,
Ben

Go to solution
Chris_Dietz
L2 Linker
In response to bbucao

‎05-03-2023 07:30 AM

Thanks Ben! What do I do if I have a multiple line command? Do I just paste it all in there?

0 Likes Likes

Go to solution
bbucao
L3 Networker
In response to Chris_Dietz

‎05-03-2023 10:04 AM

Hi Chris_Dietz,

I may have misunderstood your original question. The logic you use to match the traffic will depend on how it was executed. If a command prompt is used to execute powershell commands such as powershell.exe Write-Host "Hello, World!", You could use the process rule builder to match on the command line.  If the command/commands were executed through a powershell terminal you can try using the query below as a template to create rules off of. You can add any number of filtering criteria on the "content" field which should result in matches on your identified powershell activity. I do recommend running some test powershell commands and validating that you can match on it using a variation of the below query, which is valid to save as a BIOC rule.

dataset = xdr_data
| filter event_type = EVENT_LOG and action_evtlog_message = "AmsiScanBuffer "
| alter content = json_extract_scalar(action_evtlog_data_fields, "$.content")
|filter actor_process_image_path contains "powershell"
//| filter content contains "Write-Host Hello, World" 


Thanks,
Ben

Go to solution
Chris_Dietz
L2 Linker
In response to bbucao

‎05-03-2023 10:22 AM

Hi Ben,

 

I'm trying to take some of the Red Canary tests and add the criteria to Cortex. Here is a link to what I'm looking at to give you an idea.

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md

 

0 Likes Likes
  • 1 accepted solution
  • 1818 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks