How to Investigate a Suspicious PowerShell Alert Before Wiping the Laptop
Last month I got an EDR alert on a finance laptop for an encoded PowerShell command launched from Outlook. The first reaction in the ticket was to wipe the machine. I understand why: PowerShell plus Outlook sounds bad. But the user was closing payroll that morning, and wiping first would have destroyed the evidence we needed and interrupted a real deadline. I treated it as a triage case, not a…