## Wednesday, March 1, 2017

### Blocking outbound PowerShell traffic using the Windows Firewall

Some malware use PowerShell to download additional components, such as highlighted in the blog posting found at https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/.  To block outbound traffic using the Windows Firewall, add two rules:

64-bit

%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

32-bit

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

To test the rule, use the command below.

The following commands can be excuted as a test within PowerShell.

\$WebClient = New-Object System.Net.WebClient