Q&A Which lolbins can be blocked at the firewall level without disrupting the OS

notabot · Sep 1, 2019

Which lolbins/sponsors can be blocked at firewall level (block outgoing & ongoing) without disrupting Windows ?

The list is pretty long , a list ( not sure how complete it is ) can be found at:

LOLBAS

lolbas-project.github.io

Andy Ful · Sep 1, 2019

Did anybody have problems with those blocked by FirewallHardening tool?

Chuck57 · Sep 1, 2019

I use windows firewall hardener. It can be found in Andy Ful's Hard Configurator, or you can get it separately at Github under Hard Configurator. No problems of any kind with it, hard configurator, or configure defender. Excellent program.

oldschool · Sep 1, 2019

Andy Ful said:
Did anybody have problems with those blocked by FirewallHardening tool?

Not that I know of, but I live under a rock with not much on my machine!

notabot · Sep 1, 2019

Chuck57 said:
I use windows firewall hardener. It can be found in Andy Ful's Hard Configurator, or you can get it separately at Github under Hard Configurator. No problems of any kind with it, hard configurator, or configure defender. Excellent program.

Thanks !
@andy, is the list you use for your firewall hardener the same one as the lolbas list ?

Andy Ful · Sep 1, 2019

notabot said:
Thanks !
@andy, is the list you use for your firewall hardener the same one as the lolbas list ?

No, I simply used most of SysHardener entries (except a few) and added those LOLBins that may be used for downloading the payloads from remote locations. Some entries used in FirewallHardening tool are added because they were used as a target of malicious code injections.
Generally, blocking by firewall rules is efficient on script interpreters and a few LOLBins. Most LOLBins do not require the Internet connection and should be blocked on execution.

notabot · Sep 1, 2019

Andy Ful said:
No, I simply used most of SysHardener entries (except a few) and added those LOLBins that may be used for downloading the payloads from remote locations. Some entries used in FirewallHardening tool are added because they were used as a target of malicious code injections.
Generally, blocking by firewall rules is efficient on script interpreters and a few LOLBins. Most LOLBins do not require the Internet connection and should be blocked on execution.

If ransomware is not a concern, ultimately the malware will eventually try to phone out, no ?

Andy Ful · Sep 1, 2019

notabot said:
If ransomware is not a concern, ultimately the malware will eventually try to phone out, no ?

In most cases, the malware will not inject the code to LOLBins (except those I mentioned), but to Explorer or common system processes, or will hide behind svchost.

notabot · Sep 1, 2019

Andy Ful said:
In most cases, the malware will not inject the code to LOLBins (except those I mentioned), but to Explorer or common system processes, or will hide behind svchost.

I see, so if UWP is not bypassed & can prevent injections to existing processes, monitoring parent-child relations is the only way. In old versions of Windows (old like XP) I used to ban explorer from firewall though, then the OS was different, eg users downloaded service packs and run them by hand but perhaps explorer can still be blocked. I used to let only Opera as outgoing , worked wonderful back in the day. Today tho I’d expect the OS To have many hiccups with such a rule for outgoing

In any case svchost is an issue indeed as I’m not aware of a firewall that can filter based on which service is making the request each time

Edit : actually it is possible to set firewall rules based on which service is behind svchost.

Andy Ful · Sep 2, 2019

notabot said:
...
Edit : actually it is possible to set firewall rules based on which service is behind svchost.

Of course, it is possible. But, the malc0ders can use those services which should not be blocked by firewall rules.

floalma · Sep 2, 2019

@notabot
What's UWP ?

shmu26 · Sep 2, 2019

AFAIK the main gain from blocking lolbins at the firewall level is to help prevent the downloading of the payload.

notabot · Sep 3, 2019

floalma said:
@notabot
What's UWP ?

see

What's a Universal Windows Platform (UWP) app? - UWP applications

Learn about Universal Windows Platform (UWP) apps that can run across a wide variety of devices that run Windows 10.

docs.microsoft.com

Andy Ful said:
Of course, it is possible. But, the malc0ders can use those services which should not be blocked by firewall rules.

Sure but if you can't safely switch off a service and you also can't block it from firewall, no policy can help

shmu26 said:
AFAIK the main gain from blocking lolbins at the firewall level is to help prevent the downloading of the payload.

Yes and convenience of config, it's much more convenient than WDAC

Andy Ful · Sep 3, 2019

notabot said:
...
Sure but if you can't safely switch off a service and you also can't block it from firewall, no policy can help
...

Not necessarily. The policies can surely help to prevent malware before it could hide behind svhost. It is easier to prevent malware in Windows OS, than fighting the active one (at least in the home environment). That is why policies were introduced to Windows (also SRP, Applocker, and Application Guard).
The firewall rules can be efficient after exploiting the system, but before the exploit will download something more complex (to disk or to memory). So they are most helpful when applied to LOLBins with downloading abilities.

Search

Q&A Which lolbins can be blocked at the firewall level without disrupting the OS

notabot

Level 15

LOLBAS

Andy Ful

Level 60

Chuck57

Level 3

oldschool

Level 53

notabot

Level 15

Andy Ful

Level 60

notabot

Level 15

Andy Ful

Level 60

notabot

Level 15

Andy Ful

Level 60

floalma

Level 4

shmu26

Level 85

notabot

Level 15

What's a Universal Windows Platform (UWP) app? - UWP applications

Andy Ful

Level 60

Similar threads