Hello,
Is it possible to block, something like powershell.exe, wscript.exe etc,so called lolbins via PL?
I've done local group policy rule, something like this:
%LSYSTEMDRIVE%\*\*.vbs
Which should prevent any vbs running systemwide, however i don't trust it(it can be reversed by a malware).
So it there a way in PL to block powershell.exe
You can use path rules if you want more control, though this is slightly less secure than publisher/file hash rules.
<Rule>
<FileNameCondition>powershell.exe</FileNameCondition>
<Action>DENY</Action>
</Rule>Or you can deny specific paths like:
<PathRule Action="Deny">
<Path Condition="Equals" Value="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"/>
</PathRule>