shmu26

Level 76
Content Creator
Trusted
Verified
Microsoft published legitimate apps that can be abused by attackers to bypass the security rules and to infect organizations network through living off the land attack methods...

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

Microsoft Published a List of Legitimate Apps that Attackers Abuse

"Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications." Source: Microsoft recommended block rules (Windows 10)
 

shmu26

Level 76
Content Creator
Trusted
Verified
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
 

Sunshine-boy

Level 27
Verified
better list here:
st, because it can't be blocked by any normal means
i think WD app control can block these Dlls(Andy Ful said somewhere in forum)
 

Andy Ful

Level 40
Content Creator
Trusted
Verified
WDAC can block .NET DLLs (like system.management.automation.dll), but most other solutions (SRP, Bouncer, SOB, etc.) cannot. On some systems, PowerShell uses also the native image library system.management.automation.ni.dll, that can be blocked by SRP, Bouncer, SOB, etc.
Blocking LOLBins can be useful in default-allow setup, especially in organizations and enterprises. The executables included in Microsoft Published a List of Legitimate Apps that Attackers Abuse, are recommended to block in organizations and enterprises.
 
Last edited:

Local Host

Level 14
Verified
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
This is for the enterprise, where Windows Defender ATP can block such dlls with no effort.