Some malware use PowerShell to download additional components, such as highlighted in the blog posting found at https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/. To block outbound traffic using the Windows Firewall, add two rules:
64-bit
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
32-bit
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
To test the rule, use the command below.
cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://test.com','%TMP%\test.txt');
The following commands can be excuted as a test within PowerShell.
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://www.test.com/","%TEMP%")
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.