Microsoft Published a List of Legitimate Apps that Hackers Abuse to Bypass Windows Defender May 13, 2019 https://gbhackers.com/microsoft-legitimate-apps/
On the list is system.management.automation.dll which is used for tricky powershell attacks. Any ideas how to effectively block it? Testers say that it is created on the fly and thus cannot be blocked by typical blacklisting solutions.
If you block all user writable locations for execution (loading), wouldn't you get at least UAC prompt if it tries to get created in system or program folders?
AFAIK, UAC doesn't react to dlls, it is just for executables that request admin privileges. You want to block dlls, you need Win10 SRP/Applocker or specialized 3rd party softs.
You can do it with Excubits Pumpernickel, if you block read access to system.management.automation.dll. If it can't be read, it can't be created. Note that Powershell will always fail, no matter how you launch it, if you block the dll. Thanks to @WildByDesign for this discovery. The config for this would be pretty simple and short, and works with the demo version. Make sure you add a blank line at the end of the config file. [LETHAL] [LOGGING] [WHITELISTMODIFY] *>* [BLACKLISTMODIFY] [WHITELISTREAD] *>* [BLACKLISTREAD] *>*system.management.automation.dll [EOF]
Yes but if you try to create dll in system or program folder that process needs admin privileges. Or does "created on the fly" mean something else.
I never saw a UAC prompt for that. AFAIK "on the fly" means that the dll is compiled and loaded straight into memory, it is not written to disk, that's why other security solutions can't stop it. This is the elegant monster that Microsoft unleashed on us.