Hello everyone,
I would like to ask what is the best approach to prevent and/or monitor the execution of PowerShell scripts or even the use of the PowerShell application on the computers in my IT environment, using Check Point Endpoint Security.
My objectives are:
Preventing PowerShell execution (in cases where it's not required by end users);
Detecting/alerting when PowerShell is executed — especially in suspicious contexts (e.g., powershell.exe -Encoded Command, etc.);
Monitoring or blocking the creation/execution of Scheduled Tasks (schtasks.exe), which are often used for malicious persistence.
Specific questions:
Is it possible to create block rules to prevent PowerShell usage, while allowing exceptions if needed?
Are there ways to generate alerts or detailed logs when PowerShell is executed (even if it's legitimate)?
Does Harmony Endpoint allow for visibility over suspicious scheduled task creation?
Are there any best practices or recommended profiles to mitigate this type of behavior?
I appreciate any guidance or sharing of experiences with these configurations.
Best regards,
K