Monitoring with PowerShell: Monitoring Powershell Protect

So let’s start with the great news first; PowerShell protect is now open-source and free to use! PowerShell Protect is a AMSI Provider for PowerShell, now technically this sounds rather complex but it pretty much means that PowerShell Protect is able to secure the PowerShell host in the same way your antivirus does.

The great thing about PowerShell Protect is that it allows you to monitor exactly which commands have been executed, but also catch them and block them for usage if you don’t trust it.

This means you can block so called LoLBas and LolBin via Powershell with relative ease. In this blog I’ll show you to do deploy PowerShell Protect, and how to monitor activity generated by it. So let’s start getting our clients more secure and less prone to persistence attacks.

Installing PowerShell Protect

Installing PowerShell Protect is done from the PowerShell gallery, the moment you install the module nothing happens yet, and you’ll need to add rules and install the actual AMSI provider. We’re using the default rules, but are also adding some rules for logging entries we want to see, as an example I’ll add logging for invoke-restmethod

This means we’ll block the following list;

  • Block AMSI Bypass Protection
  • Block Module and Script Block Logging Bypass Protection
  • Block Assembly Load from Memory
  • Block Disabling Defender
  • Block Use of the System.Reflection.Emit Namespace
  • Block PowerSploit(Invoke-mimikatz and derivatives.)
  • Block the Marshal Class
  • Block WMI Event Subscription persistance
  • Block Bloodhound
  • Block Kerberoasting
  • Block invoke-expression

All of these rules heighten our protection against bad actors, while still allowing enough flexibility to actually use PowerShell for our day to day operations with our RMM system, so let’s deploy shall we?


write-host "Getting the PowerShellProtect Module" -ForegroundColor Green
If (Get-Module -ListAvailable -Name "PowerShellProtect") {
    Import-module PowerShellProtect
}
Else {
    Install-Module PowerShellProtect -Force
    Import-Module PowerShellProtect
}
Write-Host "Applying PowerShellProtect default settings" -ForegroundColor Green
Install-PowerShellProtect

$Condition = New-PSPCondition -Property "command" -Contains -Value "Invoke-RestMethod"
$WriteToFile = New-PSPAction -File -Path "C:\Programdata\PowerShellProtect\Log.txt" -Format "{timestamp},{rule},{ApplicationName},{UserName},{ContentPath},{Script}" -Name 'AdminFile'
$Rule = New-PSPRule -Name "LogToFile" -Action $WriteToFile -Condition $Condition

$Config = New-PSPConfiguration -Rule $Rule -Action $WriteToFile

Set-PSPConfiguration -Configuration $Config -FileSystem

So now all invoke-restmethod requests are logged to C:\Programdata\PowershellProtect\Log.txt, and all those things up there get blocked by PowerShell too! Let’s move on to a bit of monitoring:

Monitoring the PowerShell Protect log

Because we’re outputting the log in a CSV form, it becomes easy to monitor in PowerShell, we load the file as a CSV and filter only events that happened in the last 5 minutes.

$AllEvents = import-csv 'C:\Programdata\PowerShellProtect\Log.txt' -Header timestamp, rule, ApplicationName, UserName, ContentPath  -Delimiter ',' | ForEach-Object { $_.Timestamp = [datetime]::ParseExact($_.timestamp, "dd/MM/yyyy HH:mm:ss", $null); $_ }

$FilteredEvents = $AllEvents | Where-Object { $_.timestamp -gt (Get-Date).ToUniversalTime().AddMinutes(-5) }

if ($FilteredEvents) {
    write-host "Unhealthy - Events found. "
    $FilteredEvents
} else {
    Write-Host "Healty - No events found."
}

So this outputs if there are no events found, or when there are events it’ll output exactly what was found, the time and date, which executable ran the script and to top it off which user executed the command.

And that’s it! there’s a lot more to PowerShell protect and I’ll probably make a second blog about it soon, right after I assist the project with some changes 😉

As always, Happy PowerShelling!

Recent Articles

The return of CyberDrain CTF

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Monitoring with PowerShell: Monitoring Acronis Backups

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Monitoring with PowerShell: Monitoring VSS Snapshots

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.