Hot Take ThreatLocker approach to fileless malware

[Parkinsond]

In contrast to the usual way of restricting script files (such as bat, cmd, ps1, and others) outside the system space to limit fileless malicious processes, ThreatLocker present limiting the apps used by fileless malware.

Is such an approach more efficient? Is it usable for home users?

Enterprise-level cybersecurity solutions | ThreatLocker Protect

Protect your business from cyber threats with ThreatLocker Protect. Our enterprise-level solution is the foundation of cybersecurity for business. Let's talk.

www.threatlocker.com

 

[Trident]

Is such an approach more efficient? Is it usable for home users?

Threatlocker allows admins to lockdown the system (it includes a lot more than just scripts execution prevention, it also controls installers, browser extensions and so on). Is it useful for home users — I don’t think so.

 

[Victor M]

They say on their web site "dictate how they interact with other applications, the registry, the internet, or valuable files.". That's a great feature, but the allow list has to be built. But who knows all the registries that Powershell will hit ? That seems like a daunting task, unless they supply a large library of pre-built rules.

Their time bracketed port openings looks interesting. Pretty similar to the concept of port knocking - knock with 2 'pings' and the port will open.

 

[Parkinsond]

But who knows all the registries that Powershell will hit ?

Do they mean by "limitng what applications are allowed to do" to block apps like powershell and command prompt and services litke Background Tasks Infrastructure Service?

 

[Victor M]

I think yes. But according to what I mentioned above, they also consider what the powershell and cmd will touch - ie the Powershell is the Subject and what they can touch is the Object.

 

[Parkinsond]

I think yes. But according to what I mentioned above, they also consider what the powershell and cmd will touch - ie the Powershell is the Subject and what they can touch is the Object.

Would blocking Powershell completely stop malicious scripts from running? I can recall reading they can still launch even if Powershell is blocked.

 

[Victor M]

That I don't know.

 

[Victor M]

I currently block Powershell and Cmd via WDAC using WDAC Wizard. I can help if you want to do that.

 

[Trident]

Would blocking Powershell completely stop malicious scripts from running? I can recall reading they can still launch even if Powershell is blocked.

You can still launch PowerShell with ThreatLocker unless the admin, through Application Control has prohibited the application. Users can press a button that will request the admin to unblock the application. The power ot ThreatLocker is in the fact that admins will gather all apps that need to be used for day to day work, they will allow them and the rest will be automatically denied.

I am using ThreatLocker myself (not on my machines).

 

[Parkinsond]

You can still launch PowerShell with ThreatLocker unless the admin, through Application Control has prohibited the application. Users can press a button that will request the admin to unblock the application. The power ot ThreatLocker is in the fact that admins will gather all apps that need to be used for day to day work, they will allow them and the rest will be automatically denied.

I am using ThreatLocker myself (not on my machines).

So blocking Powershell by the admin can prevent the end-user from executing scripts which provide protection, but can it be useful for stopping launch of scripts without end-user direct permission (such as a scripts launched by clicking a malicious LNK file included inside e-mail attachement)?

 

[Trident]

So blocking Powershell by the admin can prevent the end-user from executing scripts which provide protection, but can it be useful for stopping launch of scripts without end-user direct permission (such as a scripts launched by clicking a malicious LNK file included inside e-mail attachement)?

It will block the script interpreter/LOLBin, no matter what's trying to call it and how.

 

[Parkinsond]

It will block the script interpreter/LOLBin, no matter what's trying to call it and how.

One more question; if I blocked running Powershell using Group Policy (do not run specified Windows application), would it act the same way as Threatblocker fileless malware control? any negative impact on Windows usability?

 

[Trident]

One more question; if I blocked running Powershell using Group Policy (do not run specified Windows application), would it act the same way as Threatblocker fileless malware control? any negative impact on Windows usability?

Yes, it will work the same way, PowerShell will not execute. But blocking script interpreters and LOLBins is often a whack-a-mole, you will need to block a lot more than just PowerShell ideally (though PowerShell blockages inevitably incapacitate a lot of malware).

In terms of usability, it depends on what software you use, generally, there are no problems caused.

The group policy will not block cases where the malware can drop its own PowerShell.

You can block by hash, but 2-3 Windows updates and PowerShell hash will change. That's another whack-a-mole to always update the hash-based rule.

For this reason, the default-deny approach of ThreatLocker is more efficient.

You will allow Microsoft Office, browsers and so on (anything else that the business needs) and everything else (including installers, browser extensions and others) will be automatically blocked.

 

[danb]

Are these really the only 5 LOLBin / vulnerable processes that TL covers? Can this list be edited to include new ones?

Asking for a friend .