F
ForgottenSeer 85179
Thread author
The ones from Lenny_Fox post above. Or from my post.
Just asking in general.
Also, what's your opinion about that?
Please provide comments and solutions that are helpful to the author of this topic.
Just asking in general.
Also, what's your opinion about that?
Using mitigations for Windows Explorer or Script Interpreters/ LOLBins would need a lot of research and testing.
It is much easier to do it for a particular user application. I do not think that restricting LOLBins in this way is a good idea (although it may work in some cases). It is better to block them completely. If LOLBins cannot be blocked (like cmd.exe, rundll.exe) then there are some well known methods that help prevent abusing LOLBins, for example:
It is much easier to do it for a particular user application. I do not think that restricting LOLBins in this way is a good idea (although it may work in some cases). It is better to block them completely. If LOLBins cannot be blocked (like cmd.exe, rundll.exe) then there are some well known methods that help prevent abusing LOLBins, for example:
- Command-line whitelisting.
- Command-line blacklisting.
- Restricting access to command-lines by blocking/whitelisting shortcuts, scripts, and files with active content (SRP).
Last edited:
Releases · zodiacon/GflagsX
Enhanced version of the GFlags tool. Contribute to zodiacon/GflagsX development by creating an account on GitHub.
github.com
F
ForgottenSeer 85179
Thread author
last update: 12 Apr 2019
Releases · zodiacon/GflagsX
Enhanced version of the GFlags tool. Contribute to zodiacon/GflagsX development by creating an account on GitHub.
you shouldn't use such outdated programs for security. Also that tool isn't the topic here.
It is outdated, yes, but it can serve the purpose of the theme created and is an easy-to-use tool for creating mitigations in programs.
F
ForgottenSeer 85179
Thread author
This Powershell command activate "Force Random Arrangement for Images(mandatory ASLR)":
Run Powershell as Admin and reboot after running this command.
Info: It may break some programs but should be activated for security reasons.
The same can also be archived in GUI:
Code:
Set-ProcessMitigation -System -Enable ForceRelocateImagesInfo: It may break some programs but should be activated for security reasons.
The same can also be archived in GUI:
- Windows Security -> App & Browser control -> Exploit-Protection -> Enable Random Arrangement for Images (Mandatory ASLR) enabled
The problem with such restrictions is that the results can be unpredictable. They can work for a few months and then crash something important.
The mmc.exe should not be blocked in this way. Some important features will not work, like Event viewer, Task scheduler, Computer management, Disk management, and several others.
It is possible to block MMC for standard processes via SRP and run it from the elevated shell, like "Windows PowerShell (Admin)".
Edit.
When applying restrictions it is always recommended to create/keep a profile that can easily restore the default Windows settings.
Last edited:
It must be by coincidence, but I notice less blocking activity in Windows 10 Firewall Control, after applying these restrictions.
You may also like...
-
-
Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware- Started by Parkinsond
- Replies: 22
-
Testing Orion Malware Cleaner Designed by Me- Started by Trident
- Replies: 8
-
Orion Malware Cleaner (OMC) - By Trident
- Started by Trident
- Replies: 23
-
Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ- Started by Victor M
- Replies: 36