cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Trying to create an exclusion for a process with a specific cmdlet (exploit)

L0 Member

For the past couple of days, we have received a low priority alert with the following params:

Source: XDR Agent

Category: Exploit

Action: Prevented (Blocked)

 

In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet. 

 

My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario. 

Who Me Too'd this topic