Purpose: To protect against attacks that use non standard script processors. For example, this can prevent an attacker from copying python.exe to a new location and using it to execute arbitrary scripts.

Description: Improves the security of computers by ensuring that script processors only run from expected locations.

Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

The Edit Rapid Config page for the Script Processors Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Command Processor

Use this group to report or block command processors run from non-default locations.

The command processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of Command Processors From Non-Default Locations:
Should execution of command processors from non-default locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Command Processors:
Execution of command processors specified here will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • <System>\cmd.exe
  • <SystemX86>\cmd.exe
  • <Windows>\winsxs*cmd.exe

Powershell

Use this group to report or block powershell run from non-default locations.

The powershell settings for the Script Processors Rapid Config

*Report Or Block Execution Of Powershell From Non-Default Locations:
Should execution of powershell from non-default locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Powershell Instances:
Execution of these instances of powershell will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • <System>\WindowsPowershell\v*\powershell.exe
  • <SystemX86>\WindowsPowershell\v*\powershell.exe

Registry processors

Use this group to report or block registry processors run from non-default locations.

The registry processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of Registry Script Processors From Non-Default Locations:
Should execution of registry script processors from non-default locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Command Processors:
Execution of these instances of registry script processors will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • <System>\reg.exe
  • <SystemX86>\reg.exe
  • <Windows>\winsxs*reg.exe
  • <System>\regedt32.exe
  • <SystemX86>\regedt32.exe
  • <Windows>\winsxs*regedt32.exe
  • <windows>\regedit.exe
  • <System>\regedit.exe
  • <SystemX86>\regedit.exe
  • <Windows>\winsxs*regedit.exe

VB Script processors

Use this group to report or block VB Script processors run from non-default locations.

The VB script processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of VB Script Processors From Non-Default Locations:
Should execution of VB Script processors from non-default locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed VB ScriptProcessors:
Execution of these instances of VB Script processors will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • <System>\cscript.exe
  • <SystemX86>\cscript.exe
  • <Windows>\winsxs*cscript.exe
  • <System>\wscript.exe
  • <SystemX86>\wscript.exe
  • <Windows>\winsxs*wscript.exe

Java Script processors

Use this group to report or block Java Script processors run from unexpected locations.

The Java script processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of Java Script Processors From Unexpected Locations:
Should execution of Java Script processors from non-default unexpected be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Java Script Processors:
Execution of these instances of Java Script processors will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • *\java.exe

  • *\javaw.exe

Perl Script processors

Use this group to report or block Perl Script processors run from unexpected locations.

The Perl script processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of Perl Script Processors From Unexpected Locations:
Should execution of Perl Script processors from unexpected locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Perl Script Processors:
Execution of these instances of Perl Script processors will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • *\perl.exe

Python Script processors

Use this group to report or block Python Script processors run from unexpected locations.

The Python script processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of Python Script Processors From Unexpected Locations:
Should execution of Python Script processors from unexpected locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed Python Script Processors:
Execution of theses instances of Python Script processors will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • *\python.exe
  • *\pythonw.exe

HTML application processors

Use this group to report or block HTML application processors run from unexpected locations.

The HTML application processor settings for the Script Processors Rapid Config

*Report Or Block Execution Of HTML Application Processors From Unexpected Locations:
Should execution of HTML Application processors from unexpected locations be reported or blocked? You should validate that legitimate executions are not blocked before enabling blocking.
Allowed HTML Application Processors:
Execution of these instances of HTML Application will not be blocked (if approved). You can add or remove items from this list. By default, the list includes:
  • <System>\cmd.exe
  • <SystemX86>\cmd.exe
  • <Windows>\winsxs*cmd.exe