Stop Second Stage Loaders

In modern cyberattacks, adversaries have a two-step process: first, they get a small piece of code on your system, and then they use that code to download the main, more complex attack. This second phase, often called a "second-stage payload," is where some of the most sophisticated and damaging attacks occur.

A common tactic for these attacks is to "live off the land" by abusing legitimate Windows tools that already exist on your computer. These tools are signed by Microsoft, which allows them to bypass traditional antivirus and whitelisting solutions. However, by blocking their ability to connect to the internet, you can effectively stop an attack in its tracks and prevent the second-stage payload from ever reaching your system.

Here is a breakdown of why these specific executables are a threat and how you can use an endpoint firewall to neutralize them.

The Attackers’ Tools of the Trade

• powershell.exe: PowerShell is a powerful automation and scripting tool for Windows. Threat actors love it because they can execute commands and scripts directly in memory without writing files to the disk, making their activity much harder to detect. They use PowerShell to download and execute malicious scripts from the internet.

• mshta.exe: The Microsoft HTML Application Host, mshta.exe, is a legitimate tool used to run HTML applications. Attackers abuse it to execute malicious JavaScript or VBScript, often by simply tricking a user into opening a seemingly harmless file. This allows them to download further malware from a remote server.

• cscript.exe and fscript.exe: These are command-line scripting hosts for VBScript and JScript. While they have legitimate uses for system administration and automation, they are frequently used by attackers to execute malicious scripts from a file or from a command. By enabling internet access, these scripts can download a second-stage payload.

The Solution: Blocking Internet Access on the Endpoint Firewall

You can significantly reduce your attack surface by creating a simple set of outbound firewall rules. These rules will prevent the executables mentioned above from initiating outbound connections to the internet. This doesn't stop them from running locally, but it does prevent them from performing the critical "phone home" step of the attack chain.

Here is a conceptual guide on how you would configure this on a Windows Defender Firewall. (Note: These steps are descriptive and should be implemented by an IT professional.)

1. Open Windows Defender Firewall: Navigate to the "Windows Defender Firewall with Advanced Security" console.

2. Create a New Outbound Rule: In the left-hand pane, right-click on "Outbound Rules" and select "New Rule."

3. Select Program Rule: Choose "Program" as the rule type. This allows you to apply the rule to a specific application or executable.

4. Specify the Executable: Browse to the location of the executable you want to block. You would create a separate rule for each one.

   • For powershell.exe, the path is typically %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe.

   • For mshta.exe, the path is typically %SystemRoot%\system32\mshta.exe.

   • For cscript.exe and fscript.exe, you would specify their respective paths.

5. Block the Connection: When prompted for the action, choose "Block the connection."

6. Apply to All Profiles: Apply the rule to all three network profiles: Domain, Private, and Public.

7. Name and Finalize: Give the rule a descriptive name, such as "Block Outbound Internet Access for PowerShell."

By implementing these rules, you create a powerful security control that directly addresses a major attack vector. While it won't prevent all attacks, it will effectively break the kill chain for a large number of second-stage malware attacks, making your endpoints significantly more resilient.