Many Windows binaries that can be abused by attackers to make undesired network connections do not need network connectivity for 'normal' functionality. With the Windows firewall, we can therefore create rules to block outbound network connections from these binaries as an additional layer of protection.
Note: Depending on your environment, these firewall rules may cause issues. Test before implementing.
These rules have been in place in my personal network without issue:
New-NetFirewallRule -DisplayName "regsvr32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\regsvr32.exe" -Action Block
New-NetFirewallRule -DisplayName "regsvr32 block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\regsvr32.exe" -Action Block
New-NetFirewallRule -DisplayName "mshta block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\mshta.exe" -Action Block
New-NetFirewallRule -DisplayName "mshta block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\mshta.exe" -Action Block
New-NetFirewallRule -DisplayName "bitsadmin block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\bitsadmin.exe" -Action Block
New-NetFirewallRule -DisplayName "bitsadmin block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\bitsadmin.exe" -Action Block
New-NetFirewallRule -DisplayName "certutil block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\certutil.exe" -Action Block
New-NetFirewallRule -DisplayName "certutil block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\certutil.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 3" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 4" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 5" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 6" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "hh block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\hh.exe" -Action Block
New-NetFirewallRule -DisplayName "hh block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\hh.exe" -Action Block
New-NetFirewallRule -DisplayName "makecab block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\makecab.exe" -Action Block
New-NetFirewallRule -DisplayName "makecab block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\makecab.exe" -Action Block
New-NetFirewallRule -DisplayName "ieexec block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe" -Action Block
New-NetFirewallRule -DisplayName "ieexec block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe" -Action Block
New-NetFirewallRule -DisplayName "Expand block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\Expand.exe" -Action Block
New-NetFirewallRule -DisplayName "Expand block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\Expand.exe" -Action Block
New-NetFirewallRule -DisplayName "extrac32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\extrac32.exe" -Action Block
New-NetFirewallRule -DisplayName "extrac32 block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\extrac32.exe" -Action Block
These rules are untested:
New-NetFirewallRule -DisplayName "replace block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\replace.exe" -Action Block
New-NetFirewallRule -DisplayName "replace block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\replace.exe" -Action Block
New-NetFirewallRule -DisplayName "printbrm block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\spool\tools\PrintBrm.exe" -Action Block
New-NetFirewallRule -DisplayName "imewdbld block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\IME\SHARED\IMEWDBLD.exe" -Action Block
New-NetFirewallRule -DisplayName "findstr block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\findstr.exe" -Action Block
New-NetFirewallRule -DisplayName "findstr block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\findstr.exe" -Action Block
New-NetFirewallRule -DisplayName "esentutl block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\esentutl.exe" -Action Block
New-NetFirewallRule -DisplayName "esentutl block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\esentutl.exe" -Action Block
New-NetFirewallRule -DisplayName "diantz block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\system32\diantz.exe" -Action Block
New-NetFirewallRule -DisplayName "diantz block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\SysWOW64\diantz.exe" -Action Block
New-NetFirewallRule -DisplayName "desktopimgdownldr block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\system32\desktopimgdownldr.exe" -Action Block
Finally, some more aggressive rules:
New-NetFirewallRule -DisplayName "wscript block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\wscript.exe" -Action Block
New-NetFirewallRule -DisplayName "wscript block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\wscript.exe" -Action Block
New-NetFirewallRule -DisplayName "cscript block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\cscript.exe" -Action Block
New-NetFirewallRule -DisplayName "cscript block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\cscript.exe" -Action Block
Note: I've had this gist on my personal GitHub account for a while and I don't remember where it may have originally come from. If they look familiar to you, I'd love to provide the proper credit.