I have created a Expert Rule that trigger a report event when a specific command line in powershell is called.
In this event I cannot find the source name of the script that executed the command.
Is there a way to locate the script that tryied to execute this command ?
Solved! Go to Solution.
There isn't necessarily a script file. It could be a command line argument or a command passed in the shell. If you want to to see script file names that aren't passed in the command line, you would have to create a rule that logs ps1 file read.
ENS doesn't log the script content. It would be necessary to use MVISION EDR on an AMSI-enabled system, using the ProcessHistory content collector to pull back script content, or enable local PowerShell logging and view the data there.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: