The recommended Microsoft mitigation: In Windows 10, lock down PowerShell version 5 to “Constrained Mode“, which limits the extended language features that can lead to unverifiable code execution such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. More on that: In version 5, PowerShell now reduces its functionality to “Constrained Mode” for both interactive input and user-authored scripts when it detects that PowerShell scripts have an ‘Allow Mode’ policy applied to them. Constrained PowerShell limits the language mode to Constrained Language (as described in about_Language_Modes), a mode first introduced for Windows RT. Ref.: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/ The problem is this mitigation is only available in AppLocker. Thanks for nothing Microsoft.
AppGuard already protects against cmd and powershell abuse. Also add both wscript.exe and cscript.exe to Guarded Apps list or disable them by adding to User Space (YES).
Lckdown My setup has all along been to uncheck Powershell in guarded apps but for some reason I can't remember why now , I had also added then to user space and YES. Then I have most of my security programs added as Power Applications.
