Q&A Looking for suggestions for Appguard

ticklemefeet

Level 26
Thread author
Jan 31, 2018
1,579
Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.
 

Attachments

  • Screenshot 2022-08-05 091824.png
    Screenshot 2022-08-05 091824.png
    36 KB · Views: 66
  • Screenshot 2022-08-05 091911.png
    Screenshot 2022-08-05 091911.png
    34.4 KB · Views: 56
  • Screenshot 2022-08-05 092049.png
    Screenshot 2022-08-05 092049.png
    33.9 KB · Views: 52
  • Screenshot 2022-08-05 092251.png
    Screenshot 2022-08-05 092251.png
    14.3 KB · Views: 50
  • Screenshot 2022-08-05 092434.png
    Screenshot 2022-08-05 092434.png
    24.4 KB · Views: 63
  • Like
Reactions: dinosaur07

Furyo

Level 1
Jun 5, 2022
34
Hello

I am looking for suggestions for my old version of Appguard. I have included most of my setup as screen shots. Things like more LOLBINS that should be added ect.
Analyze the incidence of LOLBin abuse. For example, one study gives

1659767684163.png
 
Last edited by a moderator:
  • Like
Reactions: Bretski

Bretski

New Member
Jul 23, 2020
5
I have been using the LOLBAS Project files on Github for things to block in AppGuard, which I've been using continuously since 2014. You can find the files on Github's home page by searching for LOLBAS and you will see it. I don't have regsvr32exe added to user space but it is a guarded app with memory protection. I run in locked down mode so my guarded apps and trusted publishers lists are much larger than yours.

Thanks for the nice graph of useful info Furyo. Can you share where that came from?
 

Furyo

Level 1
Jun 5, 2022
34

The list of LOLBins is essentially static. Every 3 to 5 years, another few will be added. Then there are those that get removed as LOLBins. So management of the LOLBin policies is not a burden for the user. It's just a simple matter of occasional, judicious maintenance as @ticklemefeet is doing here. Wouldn't it be great if other things in life were so trivially easy to manage?
 
  • Like
Reactions: dinosaur07

ticklemefeet

Level 26
Thread author
Jan 31, 2018
1,579
Thank You both for the great posts and info. MY question is why are you not posting more on the forum? Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them. And then there is the undocumented LOLBINS.
 
  • Like
Reactions: dinosaur07

ticklemefeet

Level 26
Thread author
Jan 31, 2018
1,579
Sine I created this thread, I have added a couple more. certutil and desktopimgdownldr

Have been thinking about adding bitsadmin, aitstatic, deviceEnroller, directxdatabaseupdater, MDMAppinstaller and SpeechModelDownload just for kicks.

What do you think?
 
Last edited:

Furyo

Level 1
Jun 5, 2022
34
Sadly, the current use of different LOLBINS seems to be progressing more rapidly these days. It would be nice to be able to stay ahead of them
Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.

And then there is the undocumented LOLBINS.
You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.

What do you think?
Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.
 
Last edited:

ticklemefeet

Level 26
Thread author
Jan 31, 2018
1,579
Not sure how you arrived at this position. Please explain. All evidence (anecdotal) suggests that LOLBin abuse is about the same. The techniques are the same. New TTPs are added slowly, but there is a small, net increase over time. The scale of campaigns are both increasing and decreasing. Which direction depends upon a lot of variables.

What is ever-increasing is attack surface generally. With all the additions of new platforms, and the software needed for those platforms, it is not difficult to see that one of the fundamental security challenges has been, and always shall be attack surface.

For some discussions, it would be helpful @ticklemefeet if you ping me in a DM.


You mean processes that have not yet been added to one of the lists? Those do make it to lists quick enough so as not to negatively impact security in any meaningful way. At least internally, new LOLBins hit the print quickly. I get that it might take a project such as LOLBin to add a process to its maintained list.


Blocking just the Uptycs list will thwart most threats regardless of the vector. It is difficult to give numbers but the likelihood that an attack will succeed on a hardened Windows image is low - a small number that only matters to statisticians and mathematicians.
I sent you a PM