Certain windows processes should be blocked to protect assets from the hackers
When a legitimate process executes from a location other than its expected default directory (e.g., C:\Windows\System32 - 64bit process) and C:\Windows\SysWOW64 for 32-bit processes), it is often a red flag that something suspicious may be happening.
The below process can be a red flag
1.PowerShell (powershell.exe)
Why? PowerShell is a powerful scripting tool often abused by attackers for executing malicious scripts or bypassing security controls.
Mitigation: Use application whitelisting to allow only authorized scripts and block unnecessary execution of powershell.exe.
2.Command Prompt (cmd.exe)
Why? Like PowerShell, the command prompt can be exploited to execute malicious commands.
Mitigation: Restrict its use to administrative users or specific processes.
3.wscript.exe and cscript.exe
Why? These processes are used to execute Windows Script Host files (e.g., .vbs, .js), which are often used in malware campaigns.
Mitigation:
"If these scripting tools are not required in your environment, block or restrict their usage, or limit access to administrators only."
4.mshta.exe
Why? This process executes HTML applications (.hta), which attackers frequently use to deliver malicious payloads.
Mitigation: Block or restrict its usage unless required by specific applications.
5.rundll32.exe
Why? Attackers use this to execute malicious DLLs.
Mitigation: Audit its usage and block unnecessary executions.
rundll32.exe is a legitimate Windows utility used to load and execute 32-bit Dynamic Link Library (DLL) files. It's a common process seen on Windows systems, but its flexibility makes it a favorite tool for attackers to misuse.
6. regsvr32.exe
Why? Used for registering DLLs, it can also be exploited to load malicious DLLs.
Mitigation: Block its use where not explicitly required.
7.taskmgr.exe
Why? Preventing non-privileged users from accessing the Task Manager can help avoid them stopping security tools.
Mitigation: Restrict Task Manager to administrative users.
8.explorer.exe (in some cases)
Why? While critical for Windows functionality, it can be monitored or restricted in high-security environments to detect suspicious usage.
Mitigation: Monitor its behaviour for anomalies.
9. teams.exe / zoom.exe / slack.exe (communication apps)
Why? These apps can be blocked on critical servers or environments to prevent data leaks or unauthorized communication.
Mitigation: Restrict to workstations only.
10.unnecessary third-party processes like
Browser toolbars or plugins.
Torrent clients (utorrent.exe, bittorrent.exe).
Remote access tools (e.g., teamviewer.exe, anydesk.exe).
Why? They are potential sources of malware and unauthorized access.
Mitigation: Remove or restrict using Group Policy or application whitelisting
Best Practices for Restriction
- Implement Application Whitelisting:
- Allow only specific, trusted applications and scripts to run.
- Monitor Process Behavior:
- Use Endpoint Detection and Response (EDR) tools to track these processes' activities.
- Flag unexpected arguments, network activity, or execution from non-standard paths.
- Disable or Restrict Usage:
- Disable processes like wscript.exe, powershell.exe, or regsvr32.exe if they are not required in your environment.
- Educate Users:
- Train users not to execute unknown attachments or links from email
- Use Least Privilege Principle:
- Restrict administrative privileges to minimize the impact of exploited processes.
- Update and Patch Regularly.
