Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
It is hard to bypass SRP + OSA (properly configured). SRP cannot block .NET DLLs, and probably OSA too. But, executing .NET DLLs via LOLBins usually requires PowerShell or Windows Script Host. PowerShell is already highly restricted to Constrained Language Mode when SRP Default Security Level is set to Disallowed - this can prevent Powershell to load .NET DLLs. Also, other scripting engines can be restricted by SRP/OSA.@Andy Ful ,
wouldn't a LOLBin have to launch a malicious file typically dropped in user space? And if this is the case, tight SRP or other anti-executable restrictions should probably stop it?
The same is true for running the shellcode encoded in documents, pictures, etc. But SRP + OSA requires more attention and maintenance compared to SRP with properly blocked shortcuts (like in H_C). Many things are doubly blocked by SRP and OSA. Sometimes, it is really hard to find out how to whitelist applications in the User Space, especially when DLLs are blocked. There can be also problems with Windows Updates and software updates.
Your SRP + OSA protection model is rather designed for businesses (possible attacks from the Local Network).
Anyway, you seem to like it. So, you can probably live with it.
Last edited: