Remediations include:
- restricting permissions to the binary
- windows firewall blocking network access to binary
If a user has admin or a path to admin, these are just speed bumps.
Sysmon would be useful here for instrumentation: e.g. look for regsvr32.exe
executing and/or making any network
Hello group,
Here an interesting article on how Regsvr32.exe can use .com script files
to execute code. I didn’t see a remediation, but it’s good to at least be
aware of it.
http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
My question is can we write a rule to