Preventing file-less malware the cheap and hacky way

By sduncan 0 Comment

Preventing file-less malware the cheap and hacky way

Uncategorised

create a .bat or .cmd script with the following lines in it. I called mine PowershellPS1-Disassociate.cmd

: This script prevents file-less malware from running by associating
: powershell and visual basic extensions with notepad
: original associations in comments
: assoc .ps1=Microsoft.PowerShellScript.1
: assoc .VBE=VBEFile
: assoc .vbs=VBSFile
assoc .ps1=txtfile
assoc .VBE=txtfile
assoc .vbs=txtfile

after you create the script, save and run it. If you need to reverse this operation do the same with the following script. I called mine PowershellPS1-Associate.cmd

assoc .ps1=Microsoft.PowerShellScript.1
assoc .VBE=VBEFile
assoc .vbs=VBSFile

This works well for Personal users, Small-Med Business and Work-from-home users.

Unregister; prevents social engineer from tricking users into running scripts
.ps1 .vbs .vbe .js .wsh .reg
Execute restrictions: prevents selected software from running permissions PowerUser+
C:\Windows\System32\WindowsPowerShell*
C:\Windows\System32\cmd.exe
C:\Windows\System32\cscript.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\wscript.exe
wmic.exe
wbemtest.exe
winrm.exe
dcomcnfg.exe

Firewall 10.x.x.x only: 135, 445, 5985, 5986

sduncan