As I’ve used Software Restriction Policies (SRP) on several occasions in my blogposts, and several people have suggested using SRP to protect against .LNK exploitation as an alternative to Ariad, I’ll describe how to configure SRP for the first time on a workstation that is not a member of a domain. For domain members, you have to configure SRP in the GPO on the domain controller.
Start the Local Security Policy manager from Control Panel / Administrative Tools:
Software Restriction Policies need to be defined the first time:
We exclude our system drive (C:) from being restricted (add other drives if you have more):
To protect against .LNK exploitation, we need to restrict DLLs too, not only EXEs:
And finally, switch from blacklisting to whitelisting:
After configuring SRP, execute a logoff/logon to apply them immediately.
From now on, only executables on your C: drive will be allowed to run.
.LNK exploitation from removable media is blocked:
View full post on Didier Stevens
Related Posts
- Mitigating .LNK Exploitation With Ariad
Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool.
I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take... - Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation
About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Ov... - Tactical Exploitation – Blackhat DC 2011
Val Smith and Colin Ames will be teaching an updated version of Tactical Exploitation Training at Blackhat DC Jan 16-17 See http://www.blackhat.com for more information.
Using a combination of new to... - How to manually check if the ASP.Net application is vulnerable to ASP.Net Padding Exploitation
Before I begin, I would like to say that, the actual reason behind the hue and cry about this vulnerability is the fact that the Microsoft Security Advisory 2416728 quoted that this vulnerability can ... - Exception event that shows signs of the padding oracle exploitation attack
The below post shows the exception event that shows signs of the attack in progress. Also, found some Dynamic IP Restriction module for IIS 7 that can be used to block this attack. Exceptio... - Mitigating the DNSTrojan Threat
A few days ago I’ve published a short analysis of a Trojan dropper which I call DNSTrojan (see New Dropper Uses DNS To Communicate). During this week I’ve tried to mitigate the threat by n... - Stuxnet Before the .lnk File Vulnerability
Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contai... - Quickpost: .LNK Template Update
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Quickpost info
View full post on Didier Steven... - Quickpost: 2 .LNK Tools
Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one... - Microsoft patches .lnk vulnerability
Microsoft has posted an out-of-band patch for the .lnk vulnerability (CVE-2010-2568) that was widely exploited after it was made public two weeks ago. The company announced Friday that the patch woul...
Posted on 21 July 2010. Tags: .LNK, Exploitation, Mitigating
[...] nouvelle méthode de protection est expliquée par Didier Stevens sur son blog. Elle consiste à créer une règle locale restreignant le démarrage d’applications [...]
[...] Die aktuelle Windows-Schwachstelle, bei der sich über .LNK-Dateien Schadcode aus DLL-Dateien beim Laden der Icons nachladen lässt, kann u. A. mit Hilfe einer Softwareeinschränkungsrichtlinie eingedämmt werden. Eine Anleitung dazu gibt es hier. [...]