« Previous 1 2 3 4
Reducing the Windows 10 attack surface
Digging In
Restricting Software Execution
As an administrator, you know the benefits of remote execution with tools like PsExec or Windows Management Instrumentation (WMI). Because these techniques are also used regularly by malware authors, you can restrict remote execution with the ASR rule D1E49AAC-8F56-4280-B9BA-993A6D77406C . The same applies to the execution of programs launched from external storage media such as a USB stick. The rule with GUID B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 restricts the execution rights of programs or scripts stored on external devices.
To prevent the permanent installation of malware with WMI event notifications – or appropriately configured trigger functions for specific events – use rule E6DB77E5-3DF2-4CF1-B95A-636979351E5B . However, this rule is currently only available if you use Group Policy or PowerShell, because the graphical tools do not yet have a name, and thus no access, to the configuration of this rule. Officially, it is therefore listed as unsupported in the Microsoft documentation.
As the only non-Microsoft program, you can also restrict the functionality of Adobe Reader with rule 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C . Particularly in the case of targeted social engineering attacks by email, but also in the case of classic spam, the malware is often hidden in PDF files that can find their way to users in compressed archives and thus get past the central firewall. Therefore, it may well make sense for you to restrict the ability to launch child processes for Adobe Reader.
If entering the GUIDs for calling the cmdlet is too complicated, you will find useful open source tools on GitLab that can help you select and enable rules [4]. You can download and execute the executable file or the PowerShell script from the repository if you have not already prevented the execution of downloaded content with ASR.
Practice Without Risk
To check the effectiveness of the available ASR rules, you should visit the web page with examples [2] provided by Microsoft, as mentioned earlier. As a registered user, for each ASR rule, you can pick up test files that you should not be able to open or start on your system with the ASR ruleset in place. In this way, you will also get to know the entries in the Event Viewer and the warnings output by Microsoft Defender.
For use on production systems, you should first configure all rules in audit mode. You can then quickly determine which of your employees' activities conflict with the selected ASR rules, customize the rulesets for distribution with your device management, and distribute the rulesets to the systems that need them.
Conclusions
Over the past few years, Microsoft has repeatedly developed new malware protection approaches. Not all of them have been successful at the end of the day. Basically, you will also want to keep an eye on the attack surface of the entire corporate network beyond your Windows systems. The attack surface reduction of Windows Defender Exploit Guard investigated here covers only a small area of potential points of attack, although they are very common methods used by attackers. Additionally, ASR offers an easy way to get started and, when deployed, can take meaningful steps to protect your entire IT infrastructure.
Infos
- Xiao, K., D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor. Hardware trojans: lessons learned after one decade of research. ACM Transactions on Design Automation of Electronic Systems, 2016;22(1). http://jin.ece.ufl.edu/papers/TODAES16.pdf
- Microsoft demo website: https://demo.wd.microsoft.com
- Mimikatz: https://github.com/gentilkiwi/mimikatz/
- Rule selection and activation tool: https://github.com/hemaurer/MDATP_PoSh_Scripts
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)