Suspicious PowerShell Enumeration of Running Processes

The
Suspicious PowerShell Enumeration of Running Processes
alert triggers when PowerShell lists running processes, something attackers often do to find and disable security tools.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Low

Description

A PowerShell one-liner that enumerates running processes was executed, which can indicate an on-going discovery effort by an attacker.

Attacker's Goals

Understand the type of host according to the processes running on it; find and disable security tools.

Investigative Actions

Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).

Recommended For You