-
-
Save ChuckFrey/7f77df907a53309ca5d30387989ff143 to your computer and use it in GitHub Desktop.
| You can create a GPO to test changing the default behavior of the following extensions to not behave as a script | |
| but rather as a benign text file opened in notepad. | |
| js | |
| wsh | |
| vbs | |
| wsc | |
| sct | |
| jse | |
| wsf | |
| shs | |
| shb | |
| hta | |
| vbe | |
| cmd | |
| bat | |
| cab | |
| appx | |
| # Others worth thinking of excluding if not needed for normal users. | |
| ## chm (Windows help files) | |
| ## iso | |
| ## ps1 | |
| The steps to do so are as follows in the Group Policy Management Console. | |
| 1. Switch to the GPO editing mode. In the GPO editor, go to the section | |
| User Configuration -> Preferences -> Control Panel Settings -> Folder Options. | |
| 2. Create a new parameter New -> Open With. | |
| 3. Fill the fields as follows: | |
| Action: Update | |
| File Extension: doc | |
| Associated Program: %windir%\system32\notepad.exe (or whichever appropriate) | |
| Set as default: check the option | |
| 4. The finished product should look similar to https://i.ibb.co/pLDnh6p/7f77df907a53309ca5d30387989ff143-ransomware-GPO.png. | |
| It is important to test and roll this out slowly so as to not impact your production | |
| environment. | |
| Side note: If you need to allow certain scripts to execute in your environment I would suggest that they be monitored while making non-RFC1918 connections and/or baselining accordingly. | |
| But wait, there is more BONUS material: Leverage ASR to block some of these extensions in web/mail clients see https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmail for more. |
How would you revert back to the original open with if you ran into an issue ?
Remove the appropriate values or the GPO altogether and run gpupdate /force @TDoug68
I tried that and still cannot seem to get .cmd files back to normal and I appear to not be able to associate them to CMD.EXE as well. Event did the Default Apps reset on Windows 11 and that did not work as well.
Have also modified the registry
HKEY_CLASSES_ROOT.cmd (Default) = cmdfile
HKEY_CLASSES_ROOT\cmdfile\shell\open\command
= "%SystemRoot%\System32\cmd.exe" "%1"
What event IDs do you see in event logs when doing this? 1704? How about RSOP? What does that look like?
No events or ID, only thing happening is when I double click the CMD file I get an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I have admin rights so that is not it. Also does not matter where the file is on the computer, same error. Another thing it is not launching when right clicking and running as administrator. It is acting like it is not really associated with cmd.exe
You should have event IDs indicating whether the GPO is applied/removed/failing_to_apply/etc. What about RSOP?
What is the assigned file w/ the extension, how to check link?
How would you revert back to the original open with if you ran into an issue ?