Microsoft Recommends Default-Deny (Sort of)

shmu26 · May 14, 2019

Microsoft published legitimate apps that can be abused by attackers to bypass the security rules and to infect organizations network through living off the land attack methods...

addinprocess.exe
addinprocess32.exe
addinutil.exe
bash.exe
bginfo.exe[1]
cdb.exe
csi.exe
dbghost.exe
dbgsvc.exe
dnx.exe
fsi.exe
fsiAnyCpu.exe
kd.exe
ntkd.exe
lxssmanager.dll
msbuild.exe[2]
mshta.exe
ntsd.exe
rcsi.exe
system.management.automation.dll
windbg.exe
wmic.exe

Microsoft Published a List of Legitimate Apps that Attackers Abuse

"Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications." Source: Microsoft recommended block rules (Windows 10)

shmu26 · May 15, 2019

It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.

Sunshine-boy · May 15, 2019

better list here:

GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - api0cradle/LOLBAS

github.com

GitHub - LOLBAS-Project/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS

github.com

shmu26 said:
st, because it can't be blocked by any normal means

i think WD app control can block these Dlls(Andy Ful said somewhere in forum)

Andy Ful · May 15, 2019

WDAC can block .NET DLLs (like system.management.automation.dll), but most other solutions (SRP, Bouncer, SOB, etc.) cannot. On some systems, PowerShell uses also the native image library system.management.automation.ni.dll, that can be blocked by SRP, Bouncer, SOB, etc.
Blocking LOLBins can be useful in default-allow setup, especially in organizations and enterprises. The executables included in Microsoft Published a List of Legitimate Apps that Attackers Abuse, are recommended to block in organizations and enterprises.

bribon77 · May 15, 2019

But that is not for a normal user.
M $ now that they become security experts.

Local Host · May 15, 2019

shmu26 said:
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.

This is for the enterprise, where Windows Defender ATP can block such dlls with no effort.

shmu26 · May 21, 2019

Andy Ful said:
WDAC can block .NET DLLs (like system.management.automation.dll)

Can WDAC block system.management.automation.dll and system.management.automation.ni.dll for normal privilege level, but allow it for elevated processes? I am asking because these dlls are used by Windows maintenance tasks. So if you can allow elevated processes, that would allow Windows to do what it needs to do, correct?

Andy Ful · May 21, 2019

shmu26 said:
Can WDAC block system.management.automation.dll and system.management.automation.ni.dll for normal privilege level, but allow it for elevated processes?

It is blocked also on elevated level.

shmu26 · May 21, 2019

Andy Ful said:
It is blocked also on elevated level.

So just as well to block it with FIDES, then?

Andy Ful · May 21, 2019

shmu26 said:
So just as well to block it with FIDES, then?

WDAC is more comprehensive. FIDES driver can be deactivated by malware and cannot block DLLs with changed names or extensions.

DeepWeb · May 21, 2019

Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.

shmu26 · May 21, 2019

DeepWeb said:
Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.

IMHO figuring out how to do things on Linux is about as user friendly as setting up advanced security on Windows.
For instance, this morning I figured out how to configure rclone and mount my google drive in Linux (gnome online accounts isn't working for me, and the Linux Mint forum hasn't come up with a solution yet).
In the same amount of time, I probably could have set up WDAC.

Andy Ful · May 21, 2019

DeepWeb said:
Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.

It is as true as:
Linux is not home user friendly. People need to learn and embrace Windows.

Anyway, for many users, the Chromebook would be the right solution.
But, we should not continue this path, because it is off topic (I think).:emoji_pray:

Search

Search

Microsoft Recommends Default-Deny (Sort of)

shmu26

Level 85

shmu26

Level 85

Sunshine-boy

Level 29

GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

GitHub - LOLBAS-Project/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Andy Ful

From Hard_Configurator Tools

bribon77

Level 35

Local Host

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

DeepWeb

Level 25

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

You may also like...