Blocking outbound PowerShell traffic using the Windows Firewall

Some malware use PowerShell to download additional components, such as highlighted in the blog posting found at https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/.  To block outbound traffic using the Windows Firewall, add two rules:

64-bit

%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

32-bit

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

image

To test the rule, use the command below.

cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://test.com','%TMP%\test.txt');

image

The following commands can be excuted as a test within PowerShell.

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://www.test.com/","%TEMP%")

image