Fully Block cmdlets like "invoke-expression"

Alex1988 · August 10, 2022, 10:47am

Hi all,

is there any way to completely block cmdlets like “invoke-expression”?

The default behavior only hits “invoke-expression” or “iex”, but I can run “Microsoft.PowerShell.Utility\Invoke-Expression ‘Get-Random’” and it works completely. It seems that all blocked commands work when called with their fully qualified name.

adam · August 12, 2022, 7:22pm

The blocking procedure is all based on static script analysis so we will need to update the rule to improve this particular case. You could also put in a custom rule that checks for the fully qualified name.

Topic		Replies	Views
Audit and block PowerShell scripts with PowerShell Protect Daily PowerShell	1	473	December 9, 2021
Preventing some new(ish) logging bypasses with PowerShell Protect Daily PowerShell	1	343	December 9, 2021
Block and Log Log4j Vulnerability Attempts in PowerShell Daily PowerShell	0	536	December 12, 2021
Some command not recognized in the internal environment PowerShell Universal	2	125	November 12, 2024
PSCommander - Command your desktop with PowerShell Daily PowerShell	1	451	December 9, 2021

Fully Block cmdlets like "invoke-expression"

Related topics