Suspicious PowerShell Command Line

The
Suspicious PowerShell Command Line
alert triggers when PowerShell is executed with a suspicious command line which may include command obfuscation, encoding, or reflective assembly loading.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Low

Description

A PowerShell one-liner was executed using commandlets (cmdlet) that are often used during attacks.

Attacker's Goals

Gain code execution on the host.

Investigative Actions

Check whether the command line executed is benign or normal for the host and/or user performing it. For example, command line may be an administrative script.

Recommended For You