lolbas-project.github.io
Not that I know of, but I live under a rock with not much on my machine!
No, I simply used most of SysHardener entries (except a few) and added those LOLBins that may be used for downloading the payloads from remote locations. Some entries used in FirewallHardening tool are added because they were used as a target of malicious code injections.
If ransomware is not a concern, ultimately the malware will eventually try to phone out, no ?
In most cases, the malware will not inject the code to LOLBins (except those I mentioned), but to Explorer or common system processes, or will hide behind svchost.
I see, so if UWP is not bypassed & can prevent injections to existing processes, monitoring parent-child relations is the only way. In old versions of Windows (old like XP) I used to ban explorer from firewall though, then the OS was different, eg users downloaded service packs and run them by hand but perhaps explorer can still be blocked. I used to let only Opera as outgoing , worked wonderful back in the day. Today tho I’d expect the OS To have many hiccups with such a rule for outgoing
Of course, it is possible. But, the malc0ders can use those services which should not be blocked by firewall rules.
see
Sure but if you can't safely switch off a service and you also can't block it from firewall, no policy can helpOf course, it is possible. But, the malc0ders can use those services which should not be blocked by firewall rules.
Yes and convenience of config, it's much more convenient than WDAC
Not necessarily. The policies can surely help to prevent malware before it could hide behind svhost. It is easier to prevent malware in Windows OS, than fighting the active one (at least in the home environment). That is why policies were introduced to Windows (also SRP, Applocker, and Application Guard).
