Getting Started

Getting started with PowerShell Protect

System Requirements

Windows 10 and\or Windows Server 2016 or later.

Installation

PowerShell Protect is packaged as a PowerShell module and can be downloaded directly from the PowerShell Gallery.

Install-Module PowerShellProtect

Once the module has been installed, you can run the following command to register the PowerShell Protect AMSI provider. You will need to run this as administrator.

Install-PowerShellProtect

Default Rules

There are ten default rules that are active after installing PowerShell Protect. Read more on the default rules page.

Manual Execution

To manually test a script, you can use the Test-SuspiciousScript cmdlet and pass a script block or path to a script. The script will be run through PowerShell Protect's default rules.

PS C:\Users\adamr> Test-SuspiciousScript -ScriptBlock { [System.Reflection.Assembly]::Load($bytes) } -verbose
VERBOSE: Using default configuration.
VERBOSE: PowerShell Protect blocked a script from running due to a violation of the AssemblyLoad rule. An attempt was made to load an assembly from memory.
AdminBlock

Configuration

PoewrShell Protect uses a basic XML file for configuration. One of the search paths for the XML file is within %ProgramData%\PowerShellProtect\config.xml . Create the following file to start auditing executions of Invoke-WebRequest.

<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
<Rules>
<Rule>
<Name>Web Request</Name>
<Conditions>
<Condition>
<Property>command</Property>
<Operator>contains</Operator>
<Value>webrequest</Value>
</Condition>
</Conditions>
<Actions>
<ActionRef>
<Name>File</Name>
</ActionRef>
<ActionRef>
<Name>Block</Name>
</ActionRef>
</Actions>
</Rule>
</Rules>
<Actions>
<Action>
<Name>File</Name>
<Type>File</Type>
<Settings>
<Setting>
<Name>Path</Name>
<Value>%temp%\audit.csv</Value>
</Setting>
<Setting>
<Name>Format</Name>
<Value>{applicationName},{rule}</Value>
</Setting>
</Settings>
</Action>
<Action>
<Name>Block</Name>
<Type>Block</Type>
</Action>
</Actions>
</Configuration>

After creating the configuration file, open a new PowerShell terminal and execute Invoke-WebRequest. After the execution, open %temp%\audit.csv to see the result of the PS Protect audit.