This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Who Me Too'd this topic
Who Me Too'd this topic
Trying to create an exclusion for a process with a specific cmdlet (exploit)
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-10-2021 06:38 AM
For the past couple of days, we have received a low priority alert with the following params:
Source: XDR Agent
Category: Exploit
Action: Prevented (Blocked)
In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet.
My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks