cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 11 of 15
‎05-19-2022 01:11 PM

Re: blocking powershell

Jump to solution
I've gotten an expert rule to block powershell but, for some reason, it isn't blocking powershell_ise.exe. Any ideas as to what I may be missing?

Rule Type: Processes
Expert Rule:
Rule {
Process {
Include OBJECT_NAME { -v "pwsh.exe" }
Include OBJECT_NAME {-v "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" }
Include OBJECT_NAME {-v "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" }
Include OBJECT_NAME {-v "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" }
Include OBJECT_NAME {-v "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell_ise.exe" }

# exclude PowerShell User groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-123771" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318856" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318854" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318855" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163272" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-177558" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163270" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163274" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163273" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-202989" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-202991" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-254475" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163269" }
}
}
Target {
Match PROCESS {
Include -access SET_REPARSE
Include -access CREATE
Include -access DELETE
Include -access WRITE
Include -access EXECUTE
Include -access READ
}
}
}
0 Kudos
Reply
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 15
‎05-20-2022 11:52 AM

Re: blocking powershell

Jump to solution

OK.  I've found the issues and wanted to put this here in case someone finds this in the future and wants to block powershell using an expert rule.

I ended up creating two expert rules.  One is 'file' rule-type and the other is 'process'. 

The file one looks like this:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }
# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
}
}
Target {
Match FILE {
Include -access "EXECUTE"
Include -access "READ"
}
}
}

The process one:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }

# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-123771" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318856" }
}
}
Target {
Match PROCESS {
Include -access CREATE
Include -access DELETE
Include -access WRITE
}
}
}

Between these two rules, we're now able to prevent powershell, powershell_ise as well as command prompt PS shell.  

I'm still trying to figure out how I can prevent it from being copy/pasted/renamed, tho.

 

0 Kudos
Reply
mh22mh
Level 8
Report Inappropriate Content
Message 13 of 15
‎05-13-2022 09:06 AM

Re: blocking powershell

Jump to solution

Hi there,

Since you want certain users to be able to do it and the rest no, the easier way is to use the access protection in ENS.

I am using it like this:

Step1) Create a rule and include any file (*).

Step2)  Add user name for exclusion later.

Step3) Create a subrule for the type "Processes"

Step4-1) Add as name or hash file for the Powershell engines (This is a subrule inside step3)

Step4-2) Add the data name which is .ps1  (This is a subrule inside step3)

Take look at the attached screen shots

Reply
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 14 of 15
‎05-13-2022 12:25 PM

Re: blocking powershell

Jump to solution
Yeah -- we tried it with AP first but it didn't meet our needs. We have a need to allow certain AD groups still be able to process PS scripts and whatnot. That led us to EP which does have that ability to use AD groups. I do appreciate the .ps1 addition to the rule. That isn't something we had previously considered.
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 15 of 15
‎05-26-2022 04:23 PM

Re: blocking powershell

Jump to solution

Rule {
Target {
Match PROCESS {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "pwsh.exe"
}
Include -access "CREATE"
}}}

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC