Below you will find specific examples of using PowerShell Protect. These examples assume you have the PowerShell Protect module and AMSI provider installed. You can learn more about installation on the Getting Started page.
This following examples checks to see if the application name contains the value "powershell.exe". Application name's are provided by AMSI and typically look like: PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1
.
$Condition = New-PSPCondition -Property "ApplicationName" -Contains -Value "powershell.exe"$Block = New-PSPAction -Block$Rule = New-PSPRule -Name "Web Request" -Condition $Condition -Action $Block$Config = New-PSPConfiguration -Rule $Rule -Action $BlockSet-PSPConfiguration -Configuration $Config -FileSystem
You could adjust this example to disable PowerShell 7 by using pwsh.exe
rather than powershell.exe
.
The following example checks to see if an administrator is running commands. If so, it writes the commands to a file. You could also send these commands to a SIEM or an HTTP server like PowerShell Universal.
$Condition = New-PSPCondition -Property "Admin" -Contains -Value "true"$Block = New-PSPAction -File -Path "C:\users\adamr\desktop\admincommands.txt" -Format "{script}" -Name 'AdminFile'$Rule = New-PSPRule -Name "Admin Command" -Condition $Condition -Action $Block$Config = New-PSPConfiguration -Rule $Rule -Action $BlockSet-PSPConfiguration -Configuration $Config -FileSystem
This example configures PowerShell Protect to send log messages to a PowerShell Universal instance. It sends HTTP POST requests to the configured server.
This configuration checks to see if the user has included the string \\corp\human-resources
anywhere in their script. If they do, it sends an HTTP POST to the URL http://localhost:8080/protect
The body of the HTTP request will contain the computer name and user name separated by a comma.
$Condition = New-PSPCondition -Property "script" -Contains -Value "\\corp\human-resources"$Block = New-PSPAction -Http -Address "http://localhost:8080/protect" -Format "{computerName},{userName}" -Name 'Universal'$Rule = New-PSPRule -Action $Block -Condition $Condition -Name "HR Share"$Config = New-PSPConfiguration -Rule $Rule -Action $BlockSet-PSPConfiguration -Configuration $Config -FileSystem
This PSU configuration defines an endpoint to accept the POST data from PowerShell Protect. It then saves the data to a file. It also defines a dashboard that will read the data and display it in a table. This assumes that you have installed the PowerShell Universal module and server.
Start-PSUServer -Port 8080 -Configuration {New-PSUEndpoint -Url "/protect" -Method POST -Endpoint {$Data = "$Env:Temp\data.csv"if (-not (Test-Path $Data)){"computer,user" | Out-File $Data}$Body | Out-File $Data}New-PSUDashboard -Name "Protect" -Content {New-UDDashboard -Title 'Protect' -Content {$Data = Import-Csv -Path "$Env:Temp\data.csv"New-UDTable -Data $Data}}}
Here is an example of the output for the dashboard.