How do you prevent Process Hijacking and escalation? On Windows? Is there any proactive ways to prevent DLL injections and Privalage escalation? I know things like Virus Protection and Setting GPOs are great but are there any other proactive approaches?
Asked
Active
Viewed 2,290 times
2 Answers
1
As stated in kfiros answer, AVs will block known methods and flag known malware or DLLs.
The best way to go to block all kind of DLLs injections and more generally, to block code execution is to use built-in security measures like APPLOCKER.
Of course, to be an efficient mitigation, you need to configure it in white-list mode and not in blacklist mode.
AppLocker can be configured by GPO if your windows is on an ActiveDirectory domain.
Refer to : https://docs.microsoft.com/fr-fr/windows/security/threat-protection/applocker/applocker-overview for more information.
r00t
- 1,104
- 8
- 16
0
Your question is very general, and actually doesn't have one answer. DLL injection can be done in many ways, and the known ways are not the interesting ones.
If you insist, it's common today for AVs to hook CreateRemoteThread for example, this way you can try prevent code injection via this injection vector.
There are more ways to prevent DLL injections, but they are destined to stop specific DLL injection methods, so, these ways won't be effective when new methods will be used.
kfiros
- 11
- 2
-
I was thinking about blocking certain DLLs. Such as System.Reflection.dll, System Managagement and grab the reflection.dlls from metasploit, empire etc and block them by hash. – Sam Arnold Nov 04 '17 at 18:06