Examples

Example configurations for PowerShell Protect.

Below you will find specific examples of using PowerShell Protect. These examples assume you have the PowerShell Protect module and AMSI provider installed. You can learn more about installation on the Getting Started page.

Disable Windows PowerShell

This following examples checks to see if the application name contains the value "powershell.exe". Application name's are provided by AMSI and typically look like: PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1.

$Condition = New-PSPCondition -Property "ApplicationName" -Contains -Value "powershell.exe"
$Block = New-PSPAction -Block
$Rule = New-PSPRule -Name "Web Request" -Condition $Condition -Action $Block
$Config = New-PSPConfiguration -Rule $Rule -Action $Block -License "<License></License>"
Set-PSPConfiguration -Configuration $Config -FileSystem

You could adjust this example to disable PowerShell 7 by using pwsh.exe rather than powershell.exe.

Log Commands Executed by Administrators to a File

The following example checks to see if an administrator is running commands. If so, it writes the commands to a file. You could also send these commands to a SIEM or an HTTP server like PowerShell Universal.

$Condition = New-PSPCondition -Property "Admin" -Contains -Value "true"
$Block = New-PSPAction -File -Path "C:\users\adamr\desktop\admincommands.txt" -Format "{script}" -Name 'AdminFile'
$Rule = New-PSPRule -Name "Admin Command" -Condition $Condition -Action $Block
$Config = New-PSPConfiguration -Rule $Rule -Action $Block -License "<License></License>"
Set-PSPConfiguration -Configuration $Config -FileSystem

Display Log Messages in PowerShell Universal

This example configures PowerShell Protect to send log messages to a PowerShell Universal instance. It sends HTTP POST requests to the configured server.

PowerShell Protect Configuration

This configuration checks to see if the user has included the string \\corp\human-resources anywhere in their script. If they do, it sends an HTTP POST to the URL http://localhost:8080/protect

The body of the HTTP request will contain the computer name and user name separated by a comma.

$Condition = New-PSPCondition -Property "script" -Contains -Value "\\corp\human-resources"
$Block = New-PSPAction -Http -Address "http://localhost:8080/protect" -Format "{computerName},{userName}" -Name 'Universal'
$Rule = New-PSPRule -Action $Block -Condition $Condition -Name "HR Share"
$Config = New-PSPConfiguration -Rule $Rule -Action $Block -License "<License></License>"
Set-PSPConfiguration -Configuration $Config -FileSystem

PowerShell Universal Configuration

This PSU configuration defines an endpoint to accept the POST data from PowerShell Protect. It then saves the data to a file. It also defines a dashboard that will read the data and display it in a table. This assumes that you have installed the PowerShell Universal module and server.

Start-PSUServer -Port 8080 -Configuration {
New-PSUEndpoint -Url "/protect" -Method POST -Endpoint {
$Data = "$Env:Temp\data.csv"
if (-not (Test-Path $Data))
{
"computer,user" | Out-File $Data
}
$Body | Out-File $Data
}
New-PSUDashboard -Name "Protect" -Content {
New-UDDashboard -Title 'Protect' -Content {
$Data = Import-Csv -Path "$Env:Temp\data.csv"
New-UDTable -Data $Data
}
}
}

Here is an example of the output for the dashboard.