Who Me Too'd this topic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

okan
Level 7
Report Inappropriate Content
‎04-27-2021 01:20 AM

I would like to block some commands from being executed directly in Powershell.

Hi,

I would like to block some commands from being executed directly in Powershell.

However, I can prevent it when the "powerhell -Invoke-Command" is run over CMD, which I can do in "Exploit prevention". But it does not block this command when I open and run the powershell screen directly. How do I prevent it from running on Powershell screen.

Do I need a parameter to mark the Powershell command line?

The rule I blocked when running from CMD is explained below;

"Exploit Prevention Expert Rule"

 

Rule { 

    Process {

 

Include OBJECT_NAME { v "*PowerShell*" }

Include PROCESS_CMD_LINE { v "*Invoke-Command*"}

}

Target  {

 

Match SECTION { Include -access "CREATE" ; }

}

1 person had this problem.
0 Kudos
Reply
Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC