-AnyCondition
parameter of New-PSPRule
, any condition will trigger the rule. Get-FileHash
to generate this hash. PowerShell Protect 2021.12.0 or later required.Get-FileHash
to generate this hash. Using this property can reduce performance. PowerShell Protect 2021.12.0 or later required.System.Reflection.Assembly.Load
method will be used to load the byte array directly in memory without accessing the file system. PowerShell Protect will now detect the use of this method and block the script.Set-MpPreference
cmdlet can be used to disable Windows Defender by using the DisableRealtimeMonitoring
parameter. Although you will need administrative permissions to perform this action, you will be able to see if users are attempting to execute this command and further investigate the behavior.Invoke-Expression
is used to execute arbitrary strings as PowerShell script. While it can be used for legitimate purposes, it is often used to download and execute malicious payloads such as this recently discovered exploit.System.Reflection.Emit
namespace. Rather than invoking the C# compiler, like with Add-Type
, you won’t see any file system activity when this type of attack is taking place. PowerShell Protect will now watch for these types of method calls, audit and block them.Invoke-ReflectivePEInjection
command for loading binaries into memory without file system access.Invoke-Mimikatz
or Invoke-ReflectivePEInjection
as-is on a default Windows environment because Defender is checking for these commands. PowerShell Protect now checks for all functions defined in PowerSploit to ensure that no one is poking around your environment with any of the tools.System.RuntimeServices.Interop.Marshal
class may be an indication that someone is attempting to manipulate memory within the PowerShell process. This class provides methods for allocating unmanaged memory segments, copying bytes around and determining memory sizes, among other things.Marshal
class is rare in the C# and the .NET world and should be even more rare in the PowerShell world. Although it may not be an actual attack, it’s a strange thing to be doing for most sysadmins.-DisableBuiltinRules
.-DisabledBuiltInConditions
parameter.