ticklemefeet

Level 23
I still use the for life version too.
I only have a few tweaks I use.

in user space I add these = yes
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe

then in guarded apps I untick poweshell
 
Good luck on your journey, but you picked the one SRP app that requires the most user skill and offers the least amount of user info/support. I would follow @shmu26 's suggestion to thoroughly comb the old threads here and at Wilders. There may be a few more users there to query than here on MT. (y)
Yes I'm doing that now, reading up on AppGuard. I've got the basic grasp of the program but I'm still working out what to add to user space and guarded apps which is tricky. This is a huge learning process for myself, learning more about system processes and software restriction policies is hard.
 

ebocious

Level 4
Delete Powershell from Guarded Apps.
Add browsers and other Internet-facing apps to Guarded Apps.
For browsers at least, Privacy should be set to On. MemWrite and MemRead should always be on.

Add to User Space:

c:\windows\*\bitsadmin.exe
c:\*powershell.exe
c:\*powershell_ise.exe
c:\*script.exe
c:\windows\*\mshta.exe
c:\windows\*\hh.exe
c:\windows\*\scrcons.exe
c:\windows\*\wmic.exe (already there)
c:\windows\*\reg.exe (already there)
c:\windows\syswow64\at.exe (already there)
c:\windows\system32\at.exe (already there)
c:\windows\syswow64\schtasks.exe (already there)
c:\windows\system32\schtasks.exe (already there)

For additional security, you can also add:

c:\windows\*\msiexec.exe
c:\windows\*\cmd.exe
c:\windows\*\regsvr32.exe
c:\windows\*\rundll32.exe
c:\windows\*\icacls.exe
c:\windows\*\cacls.exe
c:\windows\*\takeown.exe
c:\windows\*\regini.exe
c:\windows\*\vssadmin.exe
 
Most are already in my user space list. Thank you though.

c:\windows\*\cmd.exe
c:\windows\*\rundll32.exe

These pose the biggest problems, cmd more so. cmd is a huge attack vector but is used by many legit applications too. runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.

Has anyone got a recent AppGuard update? I'm a bit suspicious as it downloads the .exe but also a .msi file which is smaller.
 

ebocious

Level 4
runddl32.exe is a guarded app, should I untick it and add it to user space? Starting to get the hang of it now, learning more and more.
Actually, a few of these are in Guarded Apps, including CMD and regsvr32. Guarded Apps basically prohibits an app from reading or writing to the memory of other apps, or writing to certain directories. User Space prevents an app from being launched in user context at all. You could move these over, but consider moving them back if something breaks. Depending on what you run on your computer, it may be difficult to use when locked down that tightly.

Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
runddl32.exe is a guarded app, should I untick it and add it to user space?
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
 

ebocious

Level 4
If you do that you will run into a lot of problems. I wouldn't say that it will totally bork your computer, but it will impede a lot of processes. If you want to get tighter control over processes such as rundll32 and cmd, the way to do it is not with Appguard you need to run NVT ERP or ReHIPS together with AppGuard. Then you will have the ultimate paranoid setup.
I would like to have a way to set ACL deny permissions for standard users on LOLBINs, without having to go into it per process, per user. That way, you could get around the restriction with a simple RunAs, or by logging off. You can do it in Professional editions with Group Policy, but that doesn't help home users.
 
Here's an exhaustive list of LOL binaries. But keep in mind that the chances of some of the more obscure programs being used are slim, unless you've got a human on the other side who's interested in you. If you're going to mess with this stuff, please, please image your system first, just in case.
Thank you for the list. I will try to add some to user space, it is a learning process.

Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.

Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?

Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.
 
Last edited:
Top