Windows Temp

Reply
L2 Linker

Windows Temp

Is it a good practice to block executables from running from C:\Windows\Temp Folder?

 

Is there the chance of blocking legitamate apps trying to run ?

L4 Transporter

Re: Windows Temp

Hi @Alex_Gomez

 

Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware

A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp.

 

If you need specific applications to run from these locations, the best recommendation is to use the Whitelisting functionality by specifying the actual location where the executable should be allowed to run, then you will be safe.

 

There is a list of specific child process on Windows that as best practice you should whitelist, in order to allow functionality of several applications.

 

Here is a link to some of the policies I use in order to blacklist and whitelist specific directories.

https://www.dropbox.com/sh/0e9e64aj6cxaqqh/AACiUd6I4RVKUbhHhn5IiiTla?dl=0 

 

I hope it helps,

L2 Linker

Re: Windows Temp

Thanks @Willian with the link to those Policies.. whats the best way to import them or view them ?

L4 Transporter

Re: Windows Temp

Hi @Alex_Gomez

In order to import the rules you go to Policies > Exploit > Import Rules in the ESM console as per the screenshot below:

Import-Rules.JPG

 As for viewing the rules, you can use any editor such as Notepad++, Notepad or Wordpad because it is only a .XML file.

 

I hope this helps.

 

 

 

L2 Linker

Re: Windows Temp

I'm seeing this when i try importing 

 

Error.png

L2 Linker

Re: Windows Temp

All Good now was able to import..!!

 

Cheers

L1 Bithead

Re: Windows Temp

Thanks for sharing the policy files.

 

Dennis

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!