AndyFul
commented
2 years ago Hi, The Sethc LOLBin is not a good example in the home environment. The exploit requires a fully compromised system with high/system privileges to replace seth.exe binary with cmd.exe or some binary malware. This attack vector can be useful in Enterprises because the hacker can use cmd.exe or another shell to manually make changes in the system without logging on. Such exploits are used for persistence or lateral movement. In the home environment, there is no gain to block seth.exe.
I intentionally did not add the ability to block custom Sponsors in the H_C, because users try to add LOLBins recommended in the Enterprise/Business environment, even if this is unnecessary in the home environment.
There are probably some LOLBins that could be added to the H_C. I will probably add some LOLBins if they will become more popular in the attacks on home users.
Anyway, the H_C Recommended Settings on Windows 10/11 are so restrictive, that there is no need to block Sponsors, except if one uses vulnerable & unpatched popular applications (or blocks Windows updates).
ghost
A useful one this time. I've noticed that the blocked sponsors list in H_C does not encompass every executable that Microsoft has marked as unsafe in their recommended block rules.
It'd be nice to have an option to add and select any executable or DLL you want and add it as an item blocked by SRP. This could be helpful if new exploits or vulnerable executables emerge and you want to block them to be safe, without having to wait for an update to the blocked sponsors list.
Perhaps add a "Custom Block List" option under the Whitelist options in Hard_Configurator, which opens a new window similar to the whitelists, detailing all the items blocked by the user. This would also be a good addition to my security guide and I would be able to easily have people block vulnerable executables, whereas right now I can't do that without complications.
A good example of a harmful executable would be sethc.exe, which allows for a privilege escalation exploit on the lock screen. If this executable were to be blocked using the custom feature described above, this wouldn't be an issue. But right now, sethc is nowhere to be seen in the Blocked Sponsors list... therefore I once again request the addition of this feature.