Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="wat0114" data-source="post: 962211" data-attributes="member: 91306"><p>Agreed, and I do use OSArmor along with H_C to cover both scenarios of blocking scripts. But I think I can provide evidence as seen below where in the first partial log snippet from H_C events, H_C blocks the sample.hta script directly, without need to block a command line where the LOLBin might be involved.</p><p></p><p>[code]</p><p>Access to C:\Users\myself\Desktop\sample.hta has been restricted by your Administrator by the default software restriction policy level.[/code]</p><p></p><p>In the second log snippet taken from OSArmor's logs, I have temporarily disabled H_C's "Default Deny", and this is where OSA leaps into action blocking "suspicious command line strings". For this part of the test I also disabled in OSA "Block execution of uncommon scripts".</p><p></p><p>[code]Rule Name: Block execution of suspicious command-line strings</p><p>Command Line: "C:\WINDOWS\System32\WScript.exe" "C:\Users\myself\Desktop\ClsTS.vbs"[/code]</p><p></p><p>So isn't WScript in the command line the LOLBin?</p><p></p><p>Either way, there is lots of overlap with these two utilities - maybe too much even - that can effectively block scripting type attacks.</p><p></p><p><strong>EDIT</strong></p><p></p><p>for better clarity, below is the same .vbs file blocked by H_C's SRP settings, where it kicks in before OSA.</p><p></p><p>[ATTACH]261463[/ATTACH]</p></blockquote><p></p>
[QUOTE="wat0114, post: 962211, member: 91306"] Agreed, and I do use OSArmor along with H_C to cover both scenarios of blocking scripts. But I think I can provide evidence as seen below where in the first partial log snippet from H_C events, H_C blocks the sample.hta script directly, without need to block a command line where the LOLBin might be involved. [code] Access to C:\Users\myself\Desktop\sample.hta has been restricted by your Administrator by the default software restriction policy level.[/code] In the second log snippet taken from OSArmor's logs, I have temporarily disabled H_C's "Default Deny", and this is where OSA leaps into action blocking "suspicious command line strings". For this part of the test I also disabled in OSA "Block execution of uncommon scripts". [code]Rule Name: Block execution of suspicious command-line strings Command Line: "C:\WINDOWS\System32\WScript.exe" "C:\Users\myself\Desktop\ClsTS.vbs"[/code] So isn't WScript in the command line the LOLBin? Either way, there is lots of overlap with these two utilities - maybe too much even - that can effectively block scripting type attacks. [b]EDIT[/b] for better clarity, below is the same .vbs file blocked by H_C's SRP settings, where it kicks in before OSA. [ATTACH]261463[/ATTACH] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
