HIGH Protection Against Security Measures Bypass Techniques - 1940197314

Prevented (Blocked) ID: #33505 | Detected: 2026-01-15 01:07:24 | Malware
View Incident Back
Alert Overview

Malicious command in Powershell command line

Unclassified
XDR Agent
New
DS:PANW/XDR Agent DOM:Security
Host Information
teahee
172.30.1.72
dokji
129b847f7f5b46babe68cce9eab29db4
e8:84:a5:3f:53:7c
Process Information Process Execution
Actor Process (Executor)
Process Name wscript.exe
Path C:\Windows\System32\wscript.exe
PID 21700
SHA256 5919e37adbf233d1aadf793959eeeb7d1eba073b23b3572016564b407f0ad93f VT
MD5 58e6467c1780f739edfd7df2c6bc74bf
Signature Microsoft Corporation N/A 
"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once
MITRE ATT&CK Mapping
TA0005 - Defense Evasion TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell T1059 - Command and Scripting Interpreter T1140 - Deobfuscate/Decode Files or Information
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
HIGH

High priority investigation needed

Summary
Events 1
IP Addresses 1
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict