Clientless Malware

26th September 2019

If an attacker uses software already installed on windows to create a persistent connection, the industry calls this Clientless Malware or Living off the Land. This usually involves using Windows Powershell which is so easy to block using the built-in Defender firewall, i’m surprised it’s not blocked by default.

I propose a fix for this in the form of a Windows Firewall rule

Start, Run, mmc

add Windows Defender

Create a new rule,

Rule Type = Program

Use this progam path for 64bit Windows:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe

Block the connection

check the public box to prevent Powershell from communicating with the public Internet.

Give your rule a name, i named mine _Powershell_Block_Public so it gets sorted to the very top of the list alphabetically

for the description i used; Block Powershell connections to public IPs to prevent client-less malware

Click finish

Now find the rule you just created, right click it and choose enable.

I am going to recommend this change for all RdWeb and Gateway servers.

Unfortuneately Windoze does not allow Exporting/Importing of a single rule. An export of all rules starts with the below:

Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Authorized Computers Authorized Local Principals Local User Owner Application Package
_Powershell_Block_Public Public Yes Block No %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any

After some testing I plan to convert this to a Group Policy so i can easily apply it to all workstations. Stay tuned for that HowTo.