Advice Request Potentially dangerous built-in Windows tools/executables ?

Please provide comments and solutions that are helpful to the author of this topic.

nadis

Level 1
Thread author
Apr 21, 2020
14
There are many executables in System32 and SysWOW64 that most users probably don't need, but that could be used for malicious purposes, for stealing data through some script or exploit. At a glance, something like ftp.exe or mobsync.exe or wscript.exe or Powershell...

Is there a more comprehensive list of such files somewhere, with descriptions of what they do?

The purpose is to blacklist such files with SRP or similar, or, if they're needed for some critical function, block them with a firewall.
Any real-life reports of breakage would also be appreciated.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043

This site redirects to two others:


 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Technically all processes are subject to exploitation, some more than others.

This is why every 2-3 months we see a new LOLBin being commonly exploited.

It amazes me that users believe that they can actually guess what malware is going to attack them.

You might want to check with Andy to be sure, but I believe sponsors need to be added manually to H_C.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Technically all processes are subject to exploitation, some more than others.

This is why every 2-3 months we see a new LOLBin being commonly exploited.

It amazes me that users believe that they can actually guess what malware is going to attack them.

You might want to check with Andy to be sure, but I believe sponsors need to be added manually to H_C.
That can depend on the chosen profile. The Recommended Settings do not block Sponsors (LOLBIns). The enhanced profile will automatically block several popular Sponsors. The user can block all Sponsors (over 170) by one mouse-click (if needed). Some LOLBins use outbound connections, so they can be blocked by the FirewallHardening in H_C.

Anyway, blocking the Sponsors on the well updated system with well updated software is not necessary when using H_C with Recommended Settings. The Sponsors (LOLBins) require an exploit or command-line access - both can be hardly obtained on such a protected system.
See for example:
 
Last edited:

nadis

Level 1
Thread author
Apr 21, 2020
14
Thanks, guys! Great reccommendations for LOLBins and Hard_Configurator. A similar tool I saw is SysHardener, albeit it doesn't include SRP rules.

Now off to do some testing.
What's the consensus for Bitsadmin.exe? Is it required for Windows Updates, does it need internet access?
I'm also hesitant to block Wscript/Cscript from running, because there are some .vbs files provided by Windows itself...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks, guys! Great reccommendations for LOLBins and Hard_Configurator. A similar tool I saw is SysHardener, albeit it doesn't include SRP rules.

Now off to do some testing.
What's the consensus for Bitsadmin.exe? Is it required for Windows Updates, does it need internet access?
I'm also hesitant to block Wscript/Cscript from running, because there are some .vbs files provided by Windows itself...
Bitsadmin.exe is not required for Windows Updates because they use BITS directly.
Bitsadmin.exe requires Internet access, but cannot be blocked by the Firewall (uses svchost.exe).
You can block Wscript/Cscript, they are not used by the healthy system for any important tasks (just administrative scripts). But, you have to check if installed applications do not use them (it can rarely happen).
You can block Wscript/Cscript safely by SRP for standard processes only (like in Hard_Configurator) and then the system processes will use them without problems.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top