cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 11 of 15

Re: blocking powershell

Jump to solution
I've gotten an expert rule to block powershell but, for some reason, it isn't blocking powershell_ise.exe. Any ideas as to what I may be missing?

Rule Type: Processes
Expert Rule:
Rule {
Process {
Include OBJECT_NAME { -v "pwsh.exe" }
Include OBJECT_NAME {-v "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" }
Include OBJECT_NAME {-v "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" }
Include OBJECT_NAME {-v "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" }
Include OBJECT_NAME {-v "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell_ise.exe" }

# exclude PowerShell User groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-123771" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318856" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318854" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318855" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163272" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-177558" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163270" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163274" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163273" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-202989" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-202991" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-254475" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-163269" }
}
}
Target {
Match PROCESS {
Include -access SET_REPARSE
Include -access CREATE
Include -access DELETE
Include -access WRITE
Include -access EXECUTE
Include -access READ
}
}
}
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 15

Re: blocking powershell

Jump to solution

OK.  I've found the issues and wanted to put this here in case someone finds this in the future and wants to block powershell using an expert rule.

I ended up creating two expert rules.  One is 'file' rule-type and the other is 'process'. 

The file one looks like this:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }
# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
}
}
Target {
Match FILE {
Include -access "EXECUTE"
Include -access "READ"
}
}
}

The process one:

Rule {
Process {
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
Include OBJECT_NAME { -v pwsh.exe }

# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-123771" }
Include GROUP_SID { -v "S-1-5-21-1150564198-587945205-751859383-318856" }
}
}
Target {
Match PROCESS {
Include -access CREATE
Include -access DELETE
Include -access WRITE
}
}
}

Between these two rules, we're now able to prevent powershell, powershell_ise as well as command prompt PS shell.  

I'm still trying to figure out how I can prevent it from being copy/pasted/renamed, tho.

 

mh22mh
Level 8
Report Inappropriate Content
Message 13 of 15

Re: blocking powershell

Jump to solution

Hi there,

Since you want certain users to be able to do it and the rest no, the easier way is to use the access protection in ENS.

I am using it like this:

Step1) Create a rule and include any file (*).

Step2)  Add user name for exclusion later.

Step3) Create a subrule for the type "Processes"

Step4-1) Add as name or hash file for the Powershell engines (This is a subrule inside step3)

Step4-2) Add the data name which is .ps1  (This is a subrule inside step3)

Take look at the attached screen shots

mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 14 of 15

Re: blocking powershell

Jump to solution
Yeah -- we tried it with AP first but it didn't meet our needs. We have a need to allow certain AD groups still be able to process PS scripts and whatnot. That led us to EP which does have that ability to use AD groups. I do appreciate the .ps1 addition to the rule. That isn't something we had previously considered.

Re: blocking powershell

Jump to solution

Rule {
Target {
Match PROCESS {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "pwsh.exe"
}
Include -access "CREATE"
}}}

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community