Community Help Hub

mlajoie · ‎03-11-2022

Good afternoon.

I've created an access protection rule that prevents executing powershell, unless the user is in an authorized group. I have it set to block powershell.exe during the following operations:

- Execute

- Rename

- Write

These options prevent powershell.exe from being executed, renamed, and copied/pasted in another location. I've found another way around this issue. I can literally right-click on powershell.exe and send it to a compressed (zipped) folder. I then open that zip, rename it and can launch powershell from within the zip or unzip it and launch powershell from that location.

Another workaround i found...i can download a powershell zip file (from here (Release v7.2.1 Release of PowerShell · PowerShell/PowerShell · GitHub), for instance) and now i can run powershell again. I did find that powershell.exe is named pwshell.exe in that zip so i added it to the rule but that is not a sustainable solution.

Is there any way to prevent either of these from occurring? if so, how?

mlajoie · ‎05-20-2022

OK. I've found the issues and wanted to put this here in case someone finds this in the future and wants to block powershell using an expert rule.

I ended up creating two expert rules. One is 'file' rule-type and the other is 'process'.

The file one looks like this:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }
# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
}
}
Target {
Match FILE {
Include -access "EXECUTE"
Include -access "READ"
}
}
}

The process one:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }

# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-123771" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318856" }
}
}
Target {
Match PROCESS {
Include -access CREATE
Include -access DELETE
Include -access WRITE
}
}
}

Between these two rules, we're now able to prevent powershell, powershell_ise as well as command prompt PS shell.

I'm still trying to figure out how I can prevent it from being copy/pasted/renamed, tho.

View solution in original post

rfranci · ‎03-11-2022

Hi @mlajoie ,

Thankyou for reaching us on community!

In that case you can create AP rule with process set with MD hash of powershell.exe.

Steps:
- open 'C:\Windows\System32\WindowsPowerShell\v1.0' in cmd.
- Type the below command :
certutil -hashfile powershell.exe MD5

copy the MD5 value (097ce5761c89434367598b34fe32893b).
Note : This value might change on different version of PowerShell.

Now you can create Access protection policy to block PowerShell itself from doing anything based on MD5.:
Edit access protection policy -.> click 'add' -> click 'add' for executable -> provide any name to executable -> instead of file name only add MD5 hash :097ce5761c89434367598b34fe32893b -> click save.

Now go to subrule -> click 'add' -> name the sub rule -> enable the actions that you want to prevent from being done by PowerShell -> enter the file path as : **\*.*

I hope this helps.

-Rohit Francis
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

harshgautam · ‎03-13-2022

Hi @mlajoie ,

Thank you for reaching out to us over Community Channel. As i understand, you want to allow, specific users to access PowerShell application.

You can use the steps below to create a custom Expert Rule in ePolicy Orchestrator (ePO) that prevents non-privileged users from creating symbolic links (symlinks) and junctions through cmd.exe, powershell.exe, or powershell_ise.exe. Exclusions have been included for High Mandatory (Admin: S-1-16-12288) Level and System Mandatory (S-1-16-16384) Level Security IDs (SIDs) to allow for normal operating system activity.

WARNING: Because of the aggressive nature of this Expert Rule, McAfee recommends the standard best practice of first testing the rule as "report only" in your environment to rule out unintended behavior.

To create the Expert Rule in ePO:

Select Menu, Policy, Policy Catalog.
Select Endpoint Security Threat Prevention from the Products list in the left pane.
Select Exploit Prevention from the Category list in the right pane.
Click the Edit link for an editable policy.
Click Show Advanced.
Click Add Expert Rule in the Signatures section.
Complete the fields on the Expert Rules Properties page. ENS assigns the ID number automatically starting with 20000:
1. Select the severity and action for the rule. McAfee recommends a High severity and an action of only Report for initial validation. After you valid that the rule doesn’t cause unexpected behavior, you can configure it to Block and Report.
2. Select Use Expert Rule template to populate the Rule content field with template code when you select a rule type.
3. Select Process for the type of rule to create.
4. Change the template code to specify the behavior of the rule as shown below (a copy of this code is also attached to this article as symlink_expert_rule.txt):
  
  Rule {
     Process {
         Include OBJECT_NAME { -v cmd.exe }
         Include OBJECT_NAME { -v powershell.exe }
         Include OBJECT_NAME { -v powershell_ise.exe }
  
         # exclude admin groups
         Exclude AggregateMatch {
             Include GROUP_SID { -v "S-1-16-12288" }
              Include GROUP_SID { -v "S-1-16-16384" }
         }
     }
     Target {
         Match FILE {
             Include -access SET_REPARSE
         }
     }
  }
Save the rule, and then save the settings.
Enforce the policy to a client system.
Validate the new Expert Rule on the client system.

To facilitate reporting of violations of the above rule, you can check in the attached query, Symlink_Reparse_Query.xml, into ePO.

If you are looking to create specifically AP rule.

Restrict Users Accounts for PowerShell Access Protection Rule- Refer to the attached PDF Page 18-20
Document- https://community.mcafee.com/nysyc36988/attachments/nysyc36988/business-documents/1106/1/PowerShell%...

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

mlajoie · ‎03-14-2022

I was able to remove the ability to copy/paste powershell as well as sending it to a .zip file by checking the 'read' box. this prevents the reading of powershell.exe by non-privileged users so that meets the needs.

my question, now, revolves around the downloading a zip file of powershell (from, for example, the link in my original request). i assume the expert exploit prevention rule would resolve that workaround? please advise. thank you.

harshgautam · ‎03-16-2022

Hi @mlajoie,

Regarding your query The expert rule will action and block and PowerShell file/script execution on the system.

However i would request you to test on couple of systems and monitor. The script i shared prevents non-privileged users from creating/Running/Executing/editing any PowerShell Script.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

mlajoie · ‎05-12-2022

I have a question on the expert rule. I've applied the policy but it doesn't seem to be working. I've put the policy in 'blocking' mode but i can sill open powershell. is that not being blocked? if that's expected, i'd like to prevent powershell from even being opened. is that possible? please advise.

if it is supposed to be blocked, why would it not be blocked?

harshgautam · ‎05-12-2022

Hi @mlajoie ,

Thank you for reaching out to us, if you are facing issue there could be multiple reason depending on the already defined values to policy changes not being affected because of MA communication issue.

As i understand, you want to block PowerShell command in the environment. That is possible through AP rule. However you need to know, Microsoft at the backend randomly runs PowerShell Script to verify their services.

Add a reference document, in place of application name in the attached document mention as powershell.exe. Kindly ignore the Name of the file attached.

Verify the target location too.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

mlajoie · ‎05-12-2022

@harshgautam - thanks for the reply.

Unfortunately, it doesn't address my issue. I am using an exploit prevention expert rule to block access to powershell by non-privileged users (as you indicated in your initial reply) to only allow certain groups, identified by SID. I've attached the rule as it appears in ENS on the endpoint (it was done in ePO and has been updated on the endpoint).

The problem that I am having is that even with the rule applied, I can still open powershell and run a powershell script. As you can see, it's set to report and block and doesn't appear to be doing either.

mlajoie · ‎05-12-2022

@harshgautam -- i just realized that the rule is only for the creation of symbolic links. it is not to block the opening, writing, executing, reading, or, basically, deny *anything* related to powershell.

So. The question now is what should i use? Include -access "CREATE WRITE READ"? Is there a spot that has all of the options for 'include -access'?

please advise.

harshgautam · ‎05-12-2022

Hi @mlajoie,

Kindly give me some time, still testing in my lab. Shall get back to you.

blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Re: blocking powershell

Community Help Hub

Join the Community