shmu26

Level 81
Verified
Trusted
Content Creator
Microsoft published legitimate apps that can be abused by attackers to bypass the security rules and to infect organizations network through living off the land attack methods...

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

Microsoft Published a List of Legitimate Apps that Attackers Abuse

"Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications." Source: Microsoft recommended block rules (Windows 10)
 

shmu26

Level 81
Verified
Trusted
Content Creator
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
 

Sunshine-boy

Level 27
Verified
better list here:
st, because it can't be blocked by any normal means
i think WD app control can block these Dlls(Andy Ful said somewhere in forum)
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
WDAC can block .NET DLLs (like system.management.automation.dll), but most other solutions (SRP, Bouncer, SOB, etc.) cannot. On some systems, PowerShell uses also the native image library system.management.automation.ni.dll, that can be blocked by SRP, Bouncer, SOB, etc.
Blocking LOLBins can be useful in default-allow setup, especially in organizations and enterprises. The executables included in Microsoft Published a List of Legitimate Apps that Attackers Abuse, are recommended to block in organizations and enterprises.
 
Last edited:

Local Host

Level 17
Verified
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
This is for the enterprise, where Windows Defender ATP can block such dlls with no effort.
 

shmu26

Level 81
Verified
Trusted
Content Creator
WDAC can block .NET DLLs (like system.management.automation.dll)
Can WDAC block system.management.automation.dll and system.management.automation.ni.dll for normal privilege level, but allow it for elevated processes? I am asking because these dlls are used by Windows maintenance tasks. So if you can allow elevated processes, that would allow Windows to do what it needs to do, correct?
 

shmu26

Level 81
Verified
Trusted
Content Creator
Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.
IMHO figuring out how to do things on Linux is about as user friendly as setting up advanced security on Windows.
For instance, this morning I figured out how to configure rclone and mount my google drive in Linux (gnome online accounts isn't working for me, and the Linux Mint forum hasn't come up with a solution yet).
In the same amount of time, I probably could have set up WDAC.