Fully Block cmdlets like "invoke-expression"

Alex1988 · August 10, 2022, 10:47am

Hi all,

is there any way to completely block cmdlets like “invoke-expression”?

The default behavior only hits “invoke-expression” or “iex”, but I can run “Microsoft.PowerShell.Utility\Invoke-Expression ‘Get-Random’” and it works completely. It seems that all blocked commands work when called with their fully qualified name.

adam · August 12, 2022, 7:22pm

The blocking procedure is all based on static script analysis so we will need to update the rule to improve this particular case. You could also put in a custom rule that checks for the fully qualified name.

Topic		Replies	Views
Wacatac.h!ml and Trojan:Powershell/PowerSploit by Defender PowerShell Tools	8	920	February 2, 2024
Powershell - Failure to load built-in modules due to software restrictions PowerShell	1	305	October 12, 2023
Obfuscating PowerShell Scripts in Packaged Executables PowerShell Tools	1	664	December 18, 2022
HideConsoleWindow = $true and exe file suspended by Crowdstrike (antivirus program) PowerShell Pro Tools Help	4	327	August 12, 2022
Support obfuscation for PowerShell 7 for Win, Mac, Lin? PowerShell Tools	7	527	September 7, 2022

Fully Block cmdlets like "invoke-expression"

Related Topics