Suspicious PowerShell Command Line

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: PowerShell (T1059.001)

Severity

Low

Description

Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.

Attacker's Goals

Gain code execution on the host.

Investigative actions

Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.