Process Lasso as a security software

Started by arcanum, June 02, 2025, 08:17:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

arcanum

June 02, 2025, 08:17:27 AM
Hello,
Is it possible to block, something like powershell.exe, wscript.exe etc,so called lolbins via PL?
I've done local group policy rule, something like this:
%LSYSTEMDRIVE%\*\*.vbs
Which should prevent any vbs running systemwide, however i don't trust it(it can be reversed by a malware).
So it there a way in PL to block powershell.exe

jacksoris

#1
June 13, 2025, 02:51:57 AM
You can use path rules if you want more control, though this is slightly less secure than publisher/file hash rules.
Code Select
<Rule>
  <FileNameCondition>powershell.exe</FileNameCondition>
  <Action>DENY</Action>
</Rule>Or you can deny specific paths like:
Code Select
<PathRule Action="Deny">
  <Path Condition="Equals" Value="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"/>
</PathRule>

athleticsyea

#2
July 23, 2025, 04:51:48 AM
For blocking LOLBins like `powershell.exe`, `wscript.exe`, it is recommended to use Windows Native Tool AppLocker - Recommended over SRP for this purpose. The specific steps are given below:
- Search for `secpol.msc` and open it.
- Navigate to `Application Control Policies` -> `AppLocker`.
- Right-click on `Executable Rules` and select `Create New Rule...`.
- Click `Next` on the "Before You Begin" page.
- On the "Permissions" page: Select `Deny` for this action. Select `Everyone` (or the specific users/groups you want to apply). Click `Next`.
- On the "Conditions" page: Select `Path` and click `Next`.
- On the "Path" page: Click `Browse Folders...` or `Browse Files...`. Navigate to `C:\Windows\System32\WindowsPowerShell\v1.0\` and select `powershell.exe`. You can also add `C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` for 32-bit version. Click `Next`.
- On the "Exceptions" page: (Optional) You can add exceptions if some valid applications need to use PowerShell.
- On the "Name" page: Give the rule a descriptive name (e.g. "Deny PowerShell Execution"). Click `Create`.
- Enable AppLocker Service: Go to `Services.msc`, find "Application Identity" and set Startup type to `Automatic` and start the service.
- Enforce Policy: In `secpol.msc`, right-click `AppLocker` -> `Properties`. On the "Enforcement" tab, select "Configured" for `Executable rules` and set it to `Enforce rules`.
- Test: Try running `powershell.exe`. It will be blocked.
Print
Go Up Pages1
User actions