Home » News » Microsoft published list of dangerous legitimate applications

Microsoft published list of dangerous legitimate applications

Microsoft composed and published a list of legitimate applications that can be used by attackers for bypassing Windows Defender security rules.

Corporation notifies that attackers can penetrate organization’s network by using this legitimate programs. Microsoft refers to a special method that use cybercriminals – Living off. Living off suggests exploitation of OS functions or legitimate administrating tools in compromising corporate network.

Due to application of quite harmless tools attackers can often avoid detection by different antivirus decisions.

Hence Microsoft recommends creation of special rule that blocks certain legitimate applications.

“Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications”, — advice in Microsoft

List of applications:

  • addinprocess.exe
  • addinprocess32.exe
  • addinutil.exe
  • bash.exe
  • bginfo.exe[1]
  • cdb.exe
  • csi.exe
  • dbghost.exe
  • dbgsvc.exe
  • dnx.exe
  • fsi.exe
  • fsiAnyCpu.exe
  • kd.exe
  • ntkd.exe
  • lxssmanager.dll
  • msbuild.exe[2]
  • mshta.exe
  • ntsd.exe
  • rcsi.exe
  • system.management.automation.dll
  • windbg.exe
  • wmic.exe

[1] — A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here BGInfo 4.22. Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.

[2] — If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.

“These applications and files can be used by attackers for bypassing of protective measures, for example, rule white applications list. In particular, attackers can bypass Windows Defender Application Control protection», — warns Microsoft.

Source: https://docs.microsoft.com

READ  In new patch Microsoft corrected 74 bugs, including two 0-day vulnerabilities
[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

muddywater-apt-group-upgrading-tactics-to-avoid-detection

Researchers told about new instruments of MuddyWater cybercriminal group

Specializing on espionage Muddywater group, also known as SeedWorm and TEMP.Zagros, included in its set …

angelina jolie hackers

Mysterious woman-hacker published exploit for increasing vulnerability of rights increase in Windows 10

On GitHub published PoC-code for vulnerability of privileges increase in Windows 10 that affects Windows …

Leave a Reply