Vulnerable Processes

[hjlbx]

IMPORTANT ! Some things you need to know about vulnerable processes:

JPCERT/CC Blog : Windows Commands Abused by Attackers

Most of the commands covered are actually executables that reside in either or both the System32 or SysWOW64 directories; just add .exe - for example, net command = net.exe and ipconfig command = ipconfig.exe.

 

[Azure]

Would you recommend users with EXE Radar Pro to add those vulnerable processes to.. well EXE Radar Pro's vulnerable processes?

 

[hjlbx]

Would you recommend users with EXE Radar Pro to add those vulnerable processes to.. well EXE Radar Pro's vulnerable processes?

THIS IS REALLY IMPORTANT ! : Users need to educate themselves.

Here is valuable infos from SubTee:

ApplicationWhitelistBypassTechniques/Limits.txt at master · subTee/ApplicationWhitelistBypassTechniques · GitHub

ApplicationWhitelistBypassTechniques/TheList.txt at master · subTee/ApplicationWhitelistBypassTechniques · GitHub

NVT ERP is the way to go if one wants to monitor\block execution of any process that you do not wish to execute.

 

[XhenEd]

Does AppGuard also already protect against those or does one need to include some in AppGuard?

 

[hjlbx]

Does AppGuard also already protect against those or does one need to include some in AppGuard?

While you can add those processes to User Space in AppGuard, that means they will always be blocked - with no way for the user to Allow - unless you goto User Space tab and select No.

From a practical standpoint, it is better to add them - if you wish - to NVT ERP's vulnerable process list and run in Alert Mode. This way, if one of the processes is executed, NVT ERP will generate an alert from within you can select Allow or Block.

NVT ERP is more convenient for those processes you might need to use for trouble-shooting - e.g. ipconfig.exe, netstat.exe, etc.

Plus, with a few of the processes there might be some breakage until allowed. NVT ERP gives this ease-of-use flexibility.

However, there are quite a few processes which the typical user will likely never use from the command line.

Each user needs to figure out and decide how they wish to handle it on their own specific system.

 

[marzametal]

robocopy.exe can be used to examine the size of System Volume Information...

robocopy "c:\System Volume Information" c:\dummy /l /xj /e /nfl /ndl /njh /r:0 /b

System Volume Information

On W7 HP x64
C:\Windows\System32\Robocopy.exe
C:\Windows\SysWOW64\Robocopy.exe
C:\Windows\winsxs\amd64_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_252d34f00303c6fa\Robocopy.exe
C:\Windows\winsxs\x86_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_c90e996c4aa655c4\Robocopy.exe

 

[hjlbx]

For those that are interested, I've created a spreadsheet that is a combined list of various sources of information regarding vulnerable processes, commands and file types:

https://1drv.ms/u/s!AsdAHooQXWQs43wSLL1toEPGy0We

 

[jamescv7]

That is the problem for Windows process as it does not have ability to block or protect against manipulation. Appguard and other stuffs should carefully implement those critical process cause not the time the solution process may work.

 

[_CyberGhosT_]

If you dont mind me asking hjlbx, what is that "S premium" your using there ?
Cool post too by the way, very inclusive list Thanks.

 

[hjlbx]

If you dont mind me asking hjlbx, what is that "S premium" your using there ?
Cool post too by the way, Thanks.

Kingsoft WPS Premium (paid) - 50 % off sale - sometimes more - Lifetime license (approx $39.99 with 50 % discount) -

WPS is OK if you don't need MS Office

 

[shmu26]

NVT ERP is the way to go if one wants to monitor\block execution of any process that you do not wish to execute.

ERP users should be aware that vulnerable processes are identified by their hash value, so if you get a significant windows update, you might need to refresh some of your vulnerable processes. You can check this by manually executing the items on your list, and see if you get the popup you expected. If not, delete the old entry, and re-add it.

 

[hjlbx]

ERP users should be aware that vulnerable processes are identified by their hash value, so if you get a significant windows update, you might need to refresh some of your vulnerable processes. You can check this by manually executing the items on your list, and see if you get the popup you expected. If not, delete the old entry, and re-add it.

You can avoid all this by not trusting System32 and SysWOW64 files that change... it's in the NVT ERP settings.

 

[_CyberGhosT_]

No, I don't use MS Office, its hub and anything related to MS office is blacklisted on this PC.
I use SoftMaker Office, but I have never seen that "S Premium" up there so it peaked my
curiosity, I will give it a look Thanks.

 

[shmu26]

thanks hjlbx!

ReHIPS users can do this, too.
And Cyberghost has already taught us how to use Process Lasso to elegantly disable processes.
Process Lasso 101

 

[hjlbx]

thanks hjlbx!

ReHIPS users can do this, too.
And Cyberghost has already taught us how to use Process Lasso to elegantly disable processes.
Process Lasso 101

It is better to disable a vulnerable process - or - execute it with restricted privileges, than to allow it to execute - even using an anti-executable or HIPS.

Exploit can bypass anti-executable by abusing vulnerable processes not included in the blacklist and gain escalation of privilege.

 

[_CyberGhosT_]

thanks hjlbx!

ReHIPS users can do this, too.
And Cyberghost has already taught us how to use Process Lasso to elegantly disable processes.
Process Lasso 101

"Some" my friend. Some of the ones on hjlbx's list you can't block or it will cripple windows. That's why i suggest to google what each process is for before blocking it.

 

[shmu26]

this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

 

[hjlbx]

"Some" my friend. Some of the ones on hjlbx's list you can't block or it will cripple windows. That's why i suggest to google what each process is for before blocking it.

Actually, I submitted warning to ReCrypt - that users could block things like winlogon.exe - and smash themselves right outta the system.

I believe this issue should be fixed by now.

Ask @Umbra - he's active at the ReCrypt forum.

 

[shmu26]

---

 

[_CyberGhosT_]

this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
View attachment 114271

excellent, and remember, if you need to use something like "cmd"
you can remove it, then add it back later. Glad you got it sorted my friend.
PeAcE