02-10-2021 06:38 AM
For the past couple of days, we have received a low priority alert with the following params:
Source: XDR Agent
Category: Exploit
Action: Prevented (Blocked)
In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet.
My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.