- Dec 23, 2014
It is hard to bypass SRP + OSA (properly configured). SRP cannot block .NET DLLs, and probably OSA too. But, executing .NET DLLs via LOLBins usually requires PowerShell or Windows Script Host. PowerShell is already highly restricted to Constrained Language Mode when SRP Default Security Level is set to Disallowed - this can prevent Powershell to load .NET DLLs. Also, other scripting engines can be restricted by SRP/OSA.
The same is true for running the shellcode encoded in documents, pictures, etc. But SRP + OSA requires more attention and maintenance compared to SRP with properly blocked shortcuts (like in H_C). Many things are doubly blocked by SRP and OSA. Sometimes, it is really hard to find out how to whitelist applications in the User Space, especially when DLLs are blocked. There can be also problems with Windows Updates and software updates.
Your SRP + OSA protection model is rather designed for businesses (possible attacks from the Local Network).
Anyway, you seem to like it. So, you can probably live with it.