I have created a Expert Rule that trigger a report event when a specific command line in powershell is called.
In this event I cannot find the source name of the script that executed the command.
Is there a way to locate the script that tryied to execute this command ?
Solved! Go to Solution.
There isn't necessarily a script file. It could be a command line argument or a command passed in the shell. If you want to to see script file names that aren't passed in the command line, you would have to create a rule that logs ps1 file read.
ENS doesn't log the script content. It would be necessary to use MVISION EDR on an AMSI-enabled system, using the ProcessHistory content collector to pull back script content, or enable local PowerShell logging and view the data there.