Yes, however when creating an exception in that manner, all it really does (or at least says) is that will create a Generic alert based on the process name powershell.exe. However, I need it to go beyond just powershell.exe and to include the cmdlet. Essentially, I need to create an exception based more on the "Initiator Cmd" as opposed to just the "Initiated By". The way the exception is perceived is that you are providing an exception just to powershell.exe, which is too broad. I was envisioning something akin to Malicious Child Process Protection where you can define a child process command line param. The difference here is that powershell is the parent process and there is no child process in this example. Thanks.
... View more
For the past couple of days, we have received a low priority alert with the following params: Source: XDR Agent Category: Exploit Action: Prevented (Blocked) In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet. My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.
... View more