Microsoft Recommends Default-Deny (Sort of)

shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Microsoft published legitimate apps that can be abused by attackers to bypass the security rules and to infect organizations network through living off the land attack methods...

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

Microsoft Published a List of Legitimate Apps that Attackers Abuse

"Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications." Source: Microsoft recommended block rules (Windows 10)
 
  • Like
  • Wow
  • Applause
Reactions: Deletedmessiah, fabiobr, bribon77 and 14 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
 
  • Like
Reactions: stefanos, Deletedmessiah, bribon77 and 7 others
Sunshine-boy

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,760
better list here:
github.com

GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - api0cradle/LOLBAS
github.com github.com
github.com

GitHub - LOLBAS-Project/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
github.com github.com
shmu26 said:
st, because it can't be blocked by any normal means
Click to expand...
i think WD app control can block these Dlls(Andy Ful said somewhere in forum)
 
  • Like
Reactions: shmu26, Deletedmessiah, bribon77 and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
WDAC can block .NET DLLs (like system.management.automation.dll), but most other solutions (SRP, Bouncer, SOB, etc.) cannot. On some systems, PowerShell uses also the native image library system.management.automation.ni.dll, that can be blocked by SRP, Bouncer, SOB, etc.
Blocking LOLBins can be useful in default-allow setup, especially in organizations and enterprises. The executables included in Microsoft Published a List of Legitimate Apps that Attackers Abuse, are recommended to block in organizations and enterprises.
 
Last edited:
  • Like
Reactions: Sunshine-boy, Gandalf_The_Grey, harlan4096 and 5 others
L

Local Host

shmu26 said:
It makes no sense that they put "system.management.automation.dll" on the list, because it can't be blocked by any normal means. It is created on the fly, so blacklisting doesn't work.
It is the dll used by tricky Powershell attacks that can bypass blacklisting of powershell.exe.
Click to expand...
This is for the enterprise, where Windows Defender ATP can block such dlls with no effort.
 
  • Like
Reactions: Gandalf_The_Grey, upnorth, harlan4096 and 3 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
WDAC can block .NET DLLs (like system.management.automation.dll)
Click to expand...
Can WDAC block system.management.automation.dll and system.management.automation.ni.dll for normal privilege level, but allow it for elevated processes? I am asking because these dlls are used by Windows maintenance tasks. So if you can allow elevated processes, that would allow Windows to do what it needs to do, correct?
 
  • Like
Reactions: oldschool, Sunshine-boy, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
DeepWeb said:
Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.
Click to expand...
IMHO figuring out how to do things on Linux is about as user friendly as setting up advanced security on Windows.
For instance, this morning I figured out how to configure rclone and mount my google drive in Linux (gnome online accounts isn't working for me, and the Linux Mint forum hasn't come up with a solution yet).
In the same amount of time, I probably could have set up WDAC.
 
  • Like
Reactions: Local Host, oldschool, harlan4096 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
DeepWeb said:
Windows is not home user friendly, it's that simple. People need to learn and embrace Linux.
Click to expand...
It is as true as:
Linux is not home user friendly. People need to learn and embrace Windows.:giggle:(y)
Anyway, for many users, the Chromebook would be the right solution.
But, we should not continue this path, because it is off topic (I think).:emoji_pray:
 
  • Like
Reactions: DeepWeb, Local Host, oldschool and 3 others

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top