PowerShell Protect
PowerShell Protect
About
Getting Started
Rules
Actions
Configuration
Licensing
Changelog
Powered by GitBook

Getting Started

Getting started with PowerShell Protect

System Requirements

Windows 10 and\or Windows Server 2016 or later.

Installation

PowerShell Protect is packaged as a PowerShell module and can be downloaded directly from the PowerShell Gallery.

Install-Module PowerShellProtect

Once the module has been installed, you can run the following command to register the PowerShell Protect AMSI provider. You will need to run this as administrator.

Install-PowerShellProtect

Default Rules

There are ten default rules that are active after installing PowerShell Protect. Read more on the default rules page.

Manual Execution

To manually test a script, you can use the Test-SuspiciousScript cmdlet and pass a script block or path to a script. The script will be run through PowerShell Protect's default rules. 

PS C:\Users\adamr> Test-SuspiciousScript -ScriptBlock { [System.Reflection.Assembly]::Load($bytes) } -verbose
VERBOSE: Using default configuration.
VERBOSE: PowerShell Protect blocked a script from running due to a violation of the AssemblyLoad rule. An attempt was made to load an assembly from memory.
AdminBlock

Configuration

PoewrShell Protect uses a basic XML file for configuration. One of the search paths for the XML file is within %ProgramData%\PowerShellProtect\config.xml . Create the following file to start auditing executions of Invoke-WebRequest.

<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
  <Rules>
    <Rule>
      <Name>Web Request</Name>
      <Conditions>
        <Condition>
          <Property>command</Property>
          <Operator>contains</Operator>
          <Value>webrequest</Value>
        </Condition>
      </Conditions>
      <Actions>
        <ActionRef>
          <Name>File</Name>
        </ActionRef>
        <ActionRef>
          <Name>Block</Name>
        </ActionRef>
      </Actions>
    </Rule>
  </Rules>
  <Actions>
    <Action>
      <Name>File</Name>
      <Type>File</Type>
      <Settings>
        <Setting>
          <Name>Path</Name>
          <Value>%temp%\audit.csv</Value>
        </Setting>
        <Setting>
          <Name>Format</Name>
          <Value>{applicationName},{rule}</Value>
        </Setting>
      </Settings>
    </Action>
    <Action>
      <Name>Block</Name>
      <Type>Block</Type>
    </Action>
  </Actions>
</Configuration>

After creating the configuration file, open a new PowerShell terminal and execute Invoke-WebRequest. After the execution, open %temp%\audit.csv to see the result of the PS Protect audit.

Previous
About
Next
Rules
Last updated 3 months ago
Contents
System Requirements
Installation
Default Rules
Manual Execution
Configuration