Will the Rule Builder accept Powershell commands?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Will the Rule Builder accept Powershell commands?

L2 Linker

Will the process rule builder accept Powershell commands? or only Windows command line?

1 accepted solution

Accepted Solutions

L3 Networker

Hi Chris_Dietz,

Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well. 

Thanks,
Ben

View solution in original post

4 REPLIES 4

L3 Networker

Hi Chris_Dietz,

Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well. 

Thanks,
Ben

Thanks Ben! What do I do if I have a multiple line command? Do I just paste it all in there?

Hi Chris_Dietz,

I may have misunderstood your original question. The logic you use to match the traffic will depend on how it was executed. If a command prompt is used to execute powershell commands such as powershell.exe Write-Host "Hello, World!", You could use the process rule builder to match on the command line.  If the command/commands were executed through a powershell terminal you can try using the query below as a template to create rules off of. You can add any number of filtering criteria on the "content" field which should result in matches on your identified powershell activity. I do recommend running some test powershell commands and validating that you can match on it using a variation of the below query, which is valid to save as a BIOC rule.

dataset = xdr_data
| filter event_type = EVENT_LOG and action_evtlog_message = "AmsiScanBuffer "
| alter content = json_extract_scalar(action_evtlog_data_fields, "$.content")
|filter actor_process_image_path contains "powershell"
//| filter content contains "Write-Host Hello, World" 


Thanks,
Ben

Hi Ben,

 

I'm trying to take some of the Red Canary tests and add the criteria to Cortex. Here is a link to what I'm looking at to give you an idea.

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md

 

  • 1 accepted solution
  • 1214 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!