Windows Defender Advanced Threat Protection - DataCollection PS1
Dear Community,
I have a question regarding Windows Defender Advanced Threat Protection*DataCollection*\folderName*.ps1.
My EDR raised multiple alerts from a PowerShell script that came from the above directory but was launched by a default browser like Chrome. i think taht this script compares the hash and ensures that only verified and trusted scripts are executed.
but as it seems executed every 3 hours, I wonder to know if this behavior is intended ?
I understand that this folder is used to collect data from endpoints to assess their security state, provide security recommendations, and alert us to threats but i'm not sure why is starded by chrome...
Below is an example of the command line executed:
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8764.10765551.0.10765551-c30813e2136fk563fs4h7es5b96a6f91e3b342ffe\0e3dsdfsd-06cc-486d-9465-9ef3bee75444.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8764.10765551.0.10762534-c30813e213fsfhrefs6a6f91e3b342ffe\0e3d6d2d-06cc-486d-9465-9ef3bee75444.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '5b385f081e8f387e2adgsdgg4063bfb4572cfabfsdfx208f7cbd0d740638')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8764.10765551.0.10765551-c30813e213684dbd64b9435b96a6f91e3b342ffe\0e336d3d-06cc-476d-9895-9fg3bae58344.ps1' }"