Preventing file-less malware the cheap and hacky way
create a .bat or .cmd script with the following lines in it. I called mine PowershellPS1-Disassociate.cmd
: This script prevents file-less malware from running by associating
: powershell and visual basic extensions with notepad
: original associations in comments
: assoc .ps1=Microsoft.PowerShellScript.1
: assoc .VBE=VBEFile
: assoc .vbs=VBSFile
assoc .ps1=txtfile
assoc .VBE=txtfile
assoc .vbs=txtfile
after you create the script, save and run it. If you need to reverse this operation do the same with the following script. I called mine PowershellPS1-Associate.cmd
assoc .ps1=Microsoft.PowerShellScript.1
assoc .VBE=VBEFile
assoc .vbs=VBSFile
This works well for Personal users, Small-Med Business and Work-from-home users.
Unregister; prevents social engineer from tricking users into running scripts
.ps1 .vbs .vbe .js .wsh .reg
Execute restrictions: prevents selected software from running permissions PowerUser+
C:\Windows\System32\WindowsPowerShell*
C:\Windows\System32\cmd.exe
C:\Windows\System32\cscript.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\wscript.exe
wmic.exe
wbemtest.exe
winrm.exe
dcomcnfg.exe
Firewall 10.x.x.x only: 135, 445, 5985, 5986