nadis

New Member
There are many executables in System32 and SysWOW64 that most users probably don't need, but that could be used for malicious purposes, for stealing data through some script or exploit. At a glance, something like ftp.exe or mobsync.exe or wscript.exe or Powershell...

Is there a more comprehensive list of such files somewhere, with descriptions of what they do?

The purpose is to blacklist such files with SRP or similar, or, if they're needed for some critical function, block them with a firewall.
Any real-life reports of breakage would also be appreciated.
 

danb

From VoodooShield
Verified
Developer
Technically all processes are subject to exploitation, some more than others.

This is why every 2-3 months we see a new LOLBin being commonly exploited.

It amazes me that users believe that they can actually guess what malware is going to attack them.

You might want to check with Andy to be sure, but I believe sponsors need to be added manually to H_C.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Technically all processes are subject to exploitation, some more than others.

This is why every 2-3 months we see a new LOLBin being commonly exploited.

It amazes me that users believe that they can actually guess what malware is going to attack them.

You might want to check with Andy to be sure, but I believe sponsors need to be added manually to H_C.
That can depend on the chosen profile. The Recommended Settings do not block Sponsors (LOLBIns). The enhanced profile will automatically block several popular Sponsors. The user can block all Sponsors (over 170) by one mouse-click (if needed). Some LOLBins use outbound connections, so they can be blocked by the FirewallHardening in H_C.

Anyway, blocking the Sponsors on the well updated system with well updated software is not necessary when using H_C with Recommended Settings. The Sponsors (LOLBins) require an exploit or command-line access - both can be hardly obtained on such a protected system.
See for example:
 
Last edited:

nadis

New Member
Thanks, guys! Great reccommendations for LOLBins and Hard_Configurator. A similar tool I saw is SysHardener, albeit it doesn't include SRP rules.

Now off to do some testing.
What's the consensus for Bitsadmin.exe? Is it required for Windows Updates, does it need internet access?
I'm also hesitant to block Wscript/Cscript from running, because there are some .vbs files provided by Windows itself...
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Thanks, guys! Great reccommendations for LOLBins and Hard_Configurator. A similar tool I saw is SysHardener, albeit it doesn't include SRP rules.

Now off to do some testing.
What's the consensus for Bitsadmin.exe? Is it required for Windows Updates, does it need internet access?
I'm also hesitant to block Wscript/Cscript from running, because there are some .vbs files provided by Windows itself...
Bitsadmin.exe is not required for Windows Updates because they use BITS directly.
Bitsadmin.exe requires Internet access, but cannot be blocked by the Firewall (uses svchost.exe).
You can block Wscript/Cscript, they are not used by the healthy system for any important tasks (just administrative scripts). But, you have to check if installed applications do not use them (it can rarely happen).
You can block Wscript/Cscript safely by SRP for standard processes only (like in Hard_Configurator) and then the system processes will use them without problems.
 
Top