Environment
- App Control (Formerly CB Protection) Console: All supported versions
Question
Is it possible to prevent Invoke-Command powershell attacks?
Answer
Additional Notes
- This rapid config can protect against powershell downgrade attacks which may be used to bypass other protections.
- Exceptions can be made to facilitate good applications being able to execute.
- The rapid config rule would be able to report or block powershell commands with the following argument:
<CmdlineAnyArgument:iex>* - <cmdline:*iex*>* can also be used with wildcards to add additional detections
- The rapid configs don't support Regex use