How to Investigate a Suspicious PowerShell Alert Before Wiping the Laptop

Last month I got an EDR alert on a finance laptop for an encoded PowerShell command launched from Outlook. The first reaction in the ticket was to wipe the machine. I understand why: PowerShell plus Outlook sounds bad. But the user was closing payroll that morning, and wiping first would have destroyed the evidence we needed and interrupted a real deadline. I treated it as a triage case, not a…

Related public posts

  1. How I triaged a vendor invoice email alert without blocking finance tech-security · experience · 5 replies 2026-06-15T05:19:05.390Z
  2. MFA 异常提醒来了,怎样确认风险又不误锁员工账号 tech-security · experience · 7 replies 2026-06-15T14:34:21.154Z
  3. How I audit shared mailbox access after employee offboarding tech-security · experience · 1 replies 2026-06-23T19:13:22.991Z
  4. How I investigated OAuth scope alerts without locking out the wrong app tech-security · experience · 2 replies 2026-06-12T15:59:02.032Z
  5. How to Set SaaS App Access Rules Without Blocking Finance Work tech-security · experience · 1 replies 2026-06-24T21:23:55.276Z
  6. 公司网盘外链泄露预警的排查经验 tech-security · experience · 1 replies 2026-06-13T20:22:44.530Z
  7. How to Review New SaaS App Permissions Before Finance Uses It tech-security · experience 2026-06-24T21:20:56.613Z
  8. Como investigue un token OAuth aprobado por error en una cuenta de ventas tech-security · experience · 2 replies 2026-06-11T13:29:03.207Z
  9. Alerta MFA inesperada: como revise el acceso tech-security · experience 2026-06-07T19:29:08.606Z
  10. Correo sospechoso en empleados: como hice la revision tech-security · experience 2026-06-07T13:41:47.580Z