Blocking PowerShell While Allowing Certain Powershell Scripts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking PowerShell While Allowing Certain Powershell Scripts

Hi, good day!

 

I need some help with configuring PowerShell restrictions in Cortex XDR.

I'm currently facing an issue where Cortex XDR has detected a PowerShell script executed from a user endpoint. After investigation, we confirmed that this script is part of a legitimate IT department operation.

Our goal is to allow specific, authorized PowerShell script activity while blocking all other unauthorized or unknown scripts. Based on the documentation, it appears that we need to create a Legacy Agent Exception to permit the approved scripts.

However, we would like to explore if there are more effective or granular methods to achieve this. Are there alternative approaches, such as policy configurations or allowlisting mechanisms, that would provide better control over PowerShell script execution?

Could anyone guide me through the process of implementing the best approach to achieve this?

I really appreciate any insights or recommendations on best practices.

Thanks in advance for your help!

1 REPLY 1

L5 Sessionator

Hi @A.ABDULLAH893848, thanks for reaching us using the Live Community.

 

How often are these IT scripts modified?

You could use the Action Center's Allow List to add the scripts hashes and maintain the list when there is a modification.

The path exception is not usually recommended, but maybe you can create a filename exception by adding to all the scripts files a naming convention like "IT-Script-Something_Description", and you can use a wildcard for that standard name that is unique and only belongs to your environment.

 

You can find here a nice webinar about Alert Handling and how to create the right exceptions for different use cases.

 

If this post answers your question, please mark it as the solution.

JM
  • 261 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!