Microsoft Published a List of Legitimate Apps that Hackers Abuse to Bypass Windows Defender

guest · May 14, 2019

Microsoft Published a List of Legitimate Apps that Hackers Abuse to Bypass Windows Defender
May 13, 2019
https://gbhackers.com/microsoft-legitimate-apps/

Microsoft published legitimate apps that can be abused by attackers to bypass the security rules and to infects organizations network through living off the land attack methods.

Living off is the method in which attackers use operating system features or legitimate network administration tools to compromise victims’ networks.
“Living off the land” was coined by Matt Graeber & Oddvar Moe, and the primary intention of this project is to understand what binaries were the attacker’s abuse to carry out malicious activities.
Click to expand...

LOLBins – Living Off The Land Binaries

LOLScripts – Living Off The Land Scripts

LOLLibs – Living Off The Land Libraries

GTFOBins – Unix Platform Binaries

Click to expand...

Microsoft recommends you to block the following applications if they are not in user. “These applications or files can be used by an attacker to circumvent application whitelisting policies, including Windows Defender Application Control.” [...]

Microsoft provided deny file rules for all the application listed and recommended to update with latest security updates.
Threat actors depend more on abusing the genuine windows system files and achieve their goal in persistence, defense evasion, lateral movement and more.
Click to expand...

Minimalist · May 14, 2019

Nice list of executables to add to deny execution list

Rasheed187 · May 18, 2019

Cool, will add them to my list. Will block them all with EXE Radar.

guest · May 18, 2019

Lol at the list, it is so limited, mine has around 150 entries, all denied via my SRP.

Mr.X · May 18, 2019

guest said: ↑

Lol at the list, it is so limited, mine has around 150 entries, all denied via my SRP.
Click to expand...

+1 Soooo limited and ***** list.

shmu26 · May 18, 2019

On the list is
system.management.automation.dll
which is used for tricky powershell attacks.
Any ideas how to effectively block it? Testers say that it is created on the fly and thus cannot be blocked by typical blacklisting solutions.

Minimalist · May 19, 2019

shmu26 said: ↑

Any ideas how to effectively block it? Testers say that it is created on the fly and thus cannot be blocked by typical blacklisting solutions.
Click to expand...

If you block all user writable locations for execution (loading), wouldn't you get at least UAC prompt if it tries to get created in system or program folders?

guest · May 19, 2019

Minimalist said: ↑

If you block all user writable locations for execution (loading), wouldn't you get at least UAC prompt if it tries to get created in system or program folders?
Click to expand...

AFAIK, UAC doesn't react to dlls, it is just for executables that request admin privileges.

You want to block dlls, you need Win10 SRP/Applocker or specialized 3rd party softs.

shmu26 · May 19, 2019

guest said: ↑

AFAIK, UAC doesn't react to dlls, it is just for executables that request admin privileges.

You want to block dlls, you need Win10 SRP/Applocker or specialized 3rd party softs.
Click to expand...

You can do it with Excubits Pumpernickel, if you block read access to system.management.automation.dll. If it can't be read, it can't be created.
Note that Powershell will always fail, no matter how you launch it, if you block the dll.
Thanks to @WildByDesign for this discovery.

The config for this would be pretty simple and short, and works with the demo version. Make sure you add a blank line at the end of the config file.

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
*>*
[BLACKLISTMODIFY]

[WHITELISTREAD]
*>*
[BLACKLISTREAD]
*>*system.management.automation.dll
[EOF]

Minimalist · May 19, 2019

guest said: ↑

AFAIK, UAC doesn't react to dlls, it is just for executables that request admin privileges.
Click to expand...

Yes but if you try to create dll in system or program folder that process needs admin privileges.
Or does "created on the fly" mean something else.

shmu26 said: ↑

Testers say that it is created on the fly and thus cannot be blocked by typical blacklisting solutions.
Click to expand...

shmu26 · May 19, 2019

Minimalist said: ↑

Yes but if you try to create dll in system or program folder that process needs admin privileges.
Or does "created on the fly" mean something else.
Click to expand...

I never saw a UAC prompt for that. AFAIK "on the fly" means that the dll is compiled and loaded straight into memory, it is not written to disk, that's why other security solutions can't stop it. This is the elegant monster that Microsoft unleashed on us.

Minimalist · May 19, 2019

shmu26 said: ↑

I never saw a UAC prompt for that. AFAIK "on the fly" means that the dll is compiled and loaded straight into memory, it is not written to disk, that's why other security solutions can't stop it. This is the elegant monster that Microsoft unleashed on us.
Click to expand...

OK, that makes sense. Thnx for explanation

Log in or Sign up

Microsoft Published a List of Legitimate Apps that Hackers Abuse to Bypass Windows Defender

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

guest Guest

Mr.X Registered Member

shmu26 Registered Member

Minimalist Registered Member

guest Guest

shmu26 Registered Member

Minimalist Registered Member

shmu26 Registered Member

Minimalist Registered Member

Log in or Sign up

Microsoft Published a List of Legitimate Apps that Hackers Abuse to Bypass Windows Defender

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

guest Guest

Mr.X Registered Member

shmu26 Registered Member

Minimalist Registered Member

guest Guest

shmu26 Registered Member

Minimalist Registered Member

shmu26 Registered Member

Minimalist Registered Member

Useful Searches