notabot

Level 10
What solution do you use for sponsors/lolbins ? It's probably the one attack vector that I'm not too happy in how I handle ( I block lolbins from firewall ).

Which vendors currently have good protection for fileless malware which leverages lolbins and at the same time is low maintainance?

Also from non-full suite products, how do you find OS Armor against lolbins ?

Windows native offering is WDAC, but I see this as a high maintenance-cost solution.
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
WDAC on Windows 10 ver. 1903 (also Home and Pro ed.) is great if you use Windows Defender and mostly Microsoft applications or applications from Microsoft Store.
One can prepare a pretty nice and very secure setup, which will work flawlessly with simple WDAC policies and without user intervention (no need to do whitelisting when installing/updating applications).

For example:

Web browsers (from Microsoft, AppContainer support):
Microsoft Edge (Windows built-in), Microsoft Edge Dev (Chromium-based)
One can use Office Online extension for editing MS Office documents.

Apps from Microsoft Store:

Office document viewers:
Microsoft (Excel, Word, PowerPoint) Mobile

Office document editors (all not in APPContainer):
Neat Office (based on Libre Office), Ultra Office from CompuClever (based on Libre Office), WPS Office 2019 for Microsoft Store.

PDF viewers (all in AppContainer):
Adobe Reader Touch, Foxit MobilePDF, PDF Viewer Plus (from GSnathan), PDF Reader (from Kdan Mobile), Perfect PDF Reader (from soft Xpansion), Xodo PDF Reader & Editor (superfast for big documents).

Other applications:
Adobe Photoshop Express (APPContainer), Foobar2000 Mobile (APPContainer), Microsoft Whiteboard (APPContainer), Microsoft To-Do (APPContainer), Microsoft OneNote (APPContainer), MusicBee for Microsoft Store (not in APPContainer), Skype (APPContainer), Spotify for Microsoft Store (not in APPContainer), VLC for Microsoft Store (APPContainer), Wunderlist (APPContainer).

There are many other possibilities, I have chosen only the best.
Advanced users can also install the normal (desktop) applications in "Program Files ..." folders. But installing/updating such applications work best when WDAC protection is temporarily turned off.
Turning On/Off WDAC is very simple - just copy/delete the predefined SIPolicy.p7b file.
 
Last edited:

notabot

Level 10
WDAC on Windows 10 ver. 1903 (also Home and Pro ed.) is great if you use Windows Defender and mostly Microsoft applications or applications from Microsoft Store.
One can prepare a pretty nice and very secure setup, which will work flawlessly with simple WDAC policies and without user intervention (no need to do whitelisting when installing/updating applications).

For example:

Web browsers (from Microsoft, AppContainer support):
Microsoft Edge (Windows built-in), Microsoft Edge Dev (Chromium-based)
One can use Office Online extension for editing MS Office documents.

Apps from Microsoft Store:

Office document viewers:
Microsoft (Excel, Word, PowerPoint) Mobile

Office document editors (all not in APPContainer):
Neat Office (based on Libre Office), Ultra Office from CompuClever (based on Libre Office), WPS Office 2019 for Microsoft Store.

PDF viewers (all in AppContainer):
Adobe Reader Touch, Foxit MobilePDF, PDF Viewer Plus (from GSnathan), PDF Reader (from Kdan Mobile), Perfect PDF Reader (from soft Xpansion), Xodo PDF Reader & Editor (superfast for big documents).

Other applications:
Adobe Photoshop Express (APPContainer), Foobar2000 Mobile (APPContainer), Microsoft Whiteboard (APPContainer), Microsoft To-Do (APPContainer), Microsoft OneNote (APPContainer), MusicBee for Microsoft Store (not in APPContainer), Skype (APPContainer), Spotify for Microsoft Store (not in APPContainer), VLC for Microsoft Store (APPContainer), Wunderlist (APPContainer).

There are many other possibilities, I have chosen only the best.
Advanced users can also install the normal (desktop) applications in "Program Files ..." folders. But installing/updating such applications work best when WDAC protection is temporarily turned off.
Turning On/Off WDAC is very simple - just copy/delete the predefined SIPolicy.p7b file.
Thanks Andy - just copy/delete or a reboot is required as well ?

That said, I use a lot of non MS & non-store apps and they’re runtimes for development, so more lolbins in effect. For my case WDAC is not very practical

Ideally I’d want to keep Defender and just complement it with a tool for lolbins that’s low maintenance / time cost but if none exists a full suite also works well
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
Thanks Andy - just copy/delete or a reboot is required as well ?
If you use copy/delete then reboot is required. If you use PowerShell then reboot is not required (but reboot can be optionally forced in the policy file).

That said, I use a lot of non MS & non-store apps and they’re runtimes for development, so more lolbins in effect. For my case WDAC is not very practical
That is right.

Ideally I’d want to keep Defender and just complement it with a tool for lolbins that’s low maintenance / time cost but if none exists a full suite also works well
There are many solutions:
  1. WDAC without default-deny option, all allowed except explicitly blocked LOLBins.
  2. Software based on SRP (native or 3rd party).
  3. Anti-exe, Sandboxing, HIPS software.
  4. Blocking LOLBins via IFEO Registry key.
  5. KIS, ESET, or other AV with Application Guard or HIPS.
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
From what I have seen on MT, some forum members apply WD + H_C, or KIS / ESET.
You can also use Excubits Bouncer. If you want to keep WD, and use H_C only for blocking LOLBins, then :
  1. Install H_C
  2. Press <Load Profile> and choose All_OFF.hdc
  3. Press <(Re)Install SRP>
  4. Press <Block Sponsors> <Select All>
  5. Apply changes.
The above SRP setup on Windows 64-bit will block over 170 LOLBins (and nothing else) when being run with standard rights.
CMD & Powershell and any needed administrative tool can be run by you from elevated shell to do admin tasks. I usually use elevated Total Commander for that. (y)
 
Last edited:

notabot

Level 10
From what I have seen on MT, some forum members apply WD + H_C, or KIS / ESET.
You can also use Excubits Bouncer. If you want to keep WD, and use H_C only for blocking LOLBins, then :
  1. Install H_C
  2. Press <Load Profile> and choose All_OFF.hdc
  3. Press <(Re)Install SRP>
  4. Press <Block Sponsors> <Select All>
  5. Apply changes.
The above SRP setup on Windows 64-bit will block over 170 LOLBins (and nothing else) when being run with standard rights.
CMD & Powershell and any needed administrative tool can be run by you from elevated shell to do admin tasks. I usually use elevated Total Commander for that. (y)
Thanks Andy, I don't want to block them entirely however (at least not all of them), as I need to be able to use the runtimes -- it's more the case that I need to block parent process - child process relations and allow others.
 

notabot

Level 10
Which runtimes? Most runtimes do not use LOLBins or only a few of them.

Most runtimes provide new lolbins though, as windows scripting host is a lolbin, any scripting runtime is a candidate lolbin, as as is any managed runtime ( ie Java ) or binary one, ie golang, or C++ runtimes. Most of these are not microsoft binaries

I'm not sure what's the best solution for this but probs a HIPS as it would display an interactive message for each new parent process -> child process relationship. or perhaps a sandbox like ReHIPS which uses native-only mechanisms

btw is there a list of those lolbins that can be blocked by firewalls without disrupting Windows ?
 
Last edited:

notabot

Level 10
To give a concrete example of what I'm talking about. In my old machine I run Sophos Home Premium, about 1-2 years ago I had fetched some github projects via git clone --recursive . Last week (!!!) Sophos found one of the dependencies had malware . I didn't have any issues with any accounts so far but clearly a malicious node module has access to node's JS runtime which in this case is a lolbin.

It's a mix of supply chain attack and lolbins that come into play. I didn't have any issues so far with any of my accounts or cards (2FA is NOT on my PC anyhow) probably my own code didn't make calls to the infected parts of the module, so I'm not worrying about this specific incident but more about this class of threats

I'm fairly confident I won't run anything silly when I open a document or a pdf but this sort of attack is impossible to detect, judging by the outcome, AVs are not quick to spot these either, probably because they target small developer communities and AV vendors don't get enough samples.

A HIPS may be handy, if eg while running a node app I get a warning the process trying to open eg powershell, it's pretty clear something odd is going on.
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
If you want granular control over child processes then the best choice will be Excubits Bouncer. You can block completely some LOLBins and use complex parent-child rules for others.
But your idea of protection will be probably painful and time-consuming. Good luck, anyway.:giggle:(y)
If you will get bored with it, then remember that you can always use default-deny SRP setup (and additionally block most LOLBins even your runtimes) with standard rights.
You can still use your runtimes for productivity from an elevated shell.
 
Last edited:

notabot

Level 10
If you want granular control over child processes then the best choice will be Excubits Bouncer. You can block completely some LOLBins and use complex parent-child rules for others.
But your idea of protection will be probably painful and time-consuming. Good luck, anyway.:giggle:(y)
If you will get bored with it, then remember that you can always use default-deny SRP setup (and additionally block most LOLBins even your runtimes) with standard rights.
You can still use your runtimes for productivity from an elevated shell.
Then the malicious module fetched from GitHub May be called from an elevated shell !

only recently attention has been payed to malware in open source repos and things have started getting flagged. Eventually the tooling will evolve and getting malware from there will be as unlikely as getting a drive by download with Chrome today when safe browsing is on but it’s not there yet.

It’s an ecosystem issue that I’m trying to resolve locally so it’s a tough one.
Is bouncer interactive ? No way I’m going to precompile lists for this, I’d rather do it by approving during use.

Also wouldn’t OSArmor ( never used it) also be able to deal with this ?
 

Andy Ful

Level 47
Verified
Trusted
Content Creator
Then the malicious module fetched from GitHub May be called from an elevated shell !
...
The malware in the home environment is initiated with standard rigths. If the processes with standard rights are additionally restricted by you then they cannot elevate without your permission.
The only probable way of calling the malicious module from GitHub is calling it by the user. So, if you are using for productivity Microsoft Visual Studio started by elevated Total Commander on Administrator account you must use only trusted resources.
You can run anything that uses not trusted resources on highly restricted SUA without using an elevated shell.

Splitting the user activity between two or more accounts with different level of security is easier than seeking one security for the wide spectrum of user activities.
But, it does not mean that you should stop doing this.:giggle:(y)
 

shmu26

Level 82
Verified
Trusted
Content Creator
OSArmor is a good way to handle most lolbins. You can run it at default settings or enable whatever advanced settings you want, and if it blocks something, it's easy to make exceptions. It has internal rules for allowing known command line strings for Windows and common apps.
You can add custom block rules, too.
But you cannot directly block dlls. For that, you need Bouncer. However, blocking dlls directly is probably not worth the time and effort. It is a very frustrating business. Just block the sponsors and you are good.

That said, Hard_Configurator is an excellent solution. You probably don't need 3rd party solutions like OSA.