cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
okan
Level 7
Report Inappropriate Content
Message 1 of 3

I would like to block some commands from being executed directly in Powershell.

Hi,

I would like to block some commands from being executed directly in Powershell.

However, I can prevent it when the "powerhell -Invoke-Command" is run over CMD, which I can do in "Exploit prevention". But it does not block this command when I open and run the powershell screen directly. How do I prevent it from running on Powershell screen.

Do I need a parameter to mark the Powershell command line?

The rule I blocked when running from CMD is explained below;

"Exploit Prevention Expert Rule"

 

Rule { 

    Process {

 

Include OBJECT_NAME { v "*PowerShell*" }

Include PROCESS_CMD_LINE { v "*Invoke-Command*"}

}

Target  {

 

Match SECTION { Include -access "CREATE" ; }

}

2 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: I would like to block some commands from being executed directly in Powershell.

Hi @okan ,

Exploit Prevention has rules which can prevent execution of malicious powershell commands.

Incase you wish to create your own expert rule, please refer to the KB below.

https://kc.mcafee.com/corporate/index?page=content&id=KB89677

Thanks

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

okan
Level 7
Report Inappropriate Content
Message 3 of 3

Re: I would like to block some commands from being executed directly in Powershell.

Looking from this article, I created the expert rule in my article above. But the problem is that the parameters I wrote or in the article helped me block if I invoke powershell in the command line (cmd) as a parameter. I want the user to double click powershell and prevent it from running the code I don't want. It doesn't do that. As far as I understand there is no parameter with which we can control the commands executed in powershell.exe. For example, with the "PROCESS_CMD_LINE" parameter I can block code when running via the command line, but when I run powershell.exe there is no parameter function to block the command I will run in it.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community