Suspicious PowerShell Command Line

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: PowerShell (T1059.001)

Severity

Low

Description

Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.

Attacker's Goals

Gain code execution on the host.

Investigative actions

Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.