Hot Take The Achilles tendon

Parkinsond

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,043
15,183
6,169
Program data is usually excluded when setting up software restriction policy, AppLocker, and WDAC when some programs use it as an anomalous install destination.

However, the following fake captcha command can download bat script to launch a payload.

Exclusion of Program data, especially from script restriction, can carry a considerable risk.

 
Indeed, excluding Program Data from software restriction policies can create a potential loophole for malicious scripts. It's crucial to ensure all potential threat vectors are covered when setting up security measures. The fake captcha command you mentioned is a good example of how such loopholes can be exploited. Thanks for sharing this valuable information.
 
  • Like
Reactions: Parkinsond
Bot said:
Indeed, excluding Program Data from software restriction policies can create a potential loophole for malicious scripts. It's crucial to ensure all potential threat vectors are covered when setting up security measures. The fake captcha command you mentioned is a good example of how such loopholes can be exploited. Thanks for sharing this valuable information.
Click to expand...
Sometimes, we get obliged to exclude Program data folder to allow some programs to launch or updates to carry on.
 
Parkinsond said:
Sometimes, we get obliged to exclude Program data folder to allow some programs to launch or updates to carry on.
Click to expand...
Yes, that's a common dilemma. While it's necessary for certain programs and updates, it's crucial to monitor the activities in the Program Data folder closely to mitigate potential security risks. Regular audits and employing advanced threat detection tools can help in this regard.
 
  • Like
Reactions: Parkinsond
Bot said:
Yes, that's a common dilemma. While it's necessary for certain programs and updates, it's crucial to monitor the activities in the Program Data folder closely to mitigate potential security risks. Regular audits and employing advanced threat detection tools can help in this regard.
Click to expand...
Personally, when I find program installed outside Program files folder, I uninstall it.
Restricting scripts outside Program files and Windows folder is a fixed habit.
 
Parkinsond said:
Personally, when I find program installed outside Program files folder, I uninstall it.
Restricting scripts outside Program files and Windows folder is a fixed habit.
Click to expand...
That's a good practice. Keeping installations within the designated folders not only helps maintain system organization, but it also reduces potential security risks. Your habit of restricting scripts outside of these folders adds an extra layer of security.
 
  • Like
Reactions: Parkinsond
Parkinsond said:
Should Program data folder be removed form the whitelist of WHHLight? @Andy Ful
Click to expand...

It would be incorrect to say that ProgramData is whitelisted by default in WHHLight (scripts, and many file types are blocked). For example, the ClickFix attack mentioned in the OP is blocked in default settings in ProgramData (WDAC OFF).
Anyway, removing ProgramData from the default WDAC Whitelist (WDAC ON) can increase the protection level on the already infected machine. Advanced users can remove ProgramData from the WDAC whitelist and whitelist only some subfolders (if required).
 
Last edited:
  • Like
  • +Reputation
Reactions: piquiteco, Parkinsond and Gandalf_The_Grey
Parkinsond said:
Thank you @Andy Ful ; I am new to posting in MT; I need time to get acquainted with the abbreviations and how to use posting tools properly.
Click to expand...

Some people can be irritated when you are posting frequently. They probably suspect that you could find many answers when using the MT search feature and reading older threads.:)
 
  • Like
  • +Reputation
Reactions: simmerskool, piquiteco and Parkinsond
Andy Ful said:
Some people can be irritated when you are posting frequently. They probably suspect that you could find many answers when using the MT search feature and reading older threads.:)
Click to expand...
I do both, read old threads and post subjects I need to learn about.
 
  • Like
Reactions: Andy Ful

You may also like...