This blog post is currently a WIP.

Introduction

As I was completing WithYouWithMe’s Cyber Analyst Course, I decided to do a quick write-up to summarise what I learnt.

Please reference the Australian Cyber Security Centre’s guide to hardening Windows 10 workstations as you follow through this blog post.

For the purposes of this exercise, I will be using Windows 10 Pro (due to difficulty of finding a Windows 10 Enterprise ISO) on a VirtualBox instance. Please do not conduct any hardening exercises on your production environment.

As Murphy’s Law states, anything that has the possibility to go wrong, will go wrong.

Application Whitelisting

Application whitelisting aims to prevent unauthorised executables from running on a computer. There are multiple ways to whitelist applications; two examples include:

  • Checking hashes of potentially malicious files (DLLs, EXEs, etc)
  • Approving certain filepaths with privileged access required to write to those filepaths.

Attack Surface Reduction (ASR)

ASR is an advanced feature of Windows Defender and the following information can be skipped if you are using a 3rd party endpoint protection system.. Commercial endpoint protection systems have similar features though you will need to refer to their documentation.

Using the Group Policy Editor snap-in in the Microsoft Management Centre (MMC) navigate to “Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction”.  Double click “Configure Attack Surface Reduction rules” and change the rule from “Not configured” to “disabled”. On the left side panel click “Show…” and add the following as necessary.

Rule name GUID
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criteria 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Please refer to Microsoft’s documentation on ASR for limitations and uses of ASR rules.


Leave a Reply

Your email address will not be published. Required fields are marked *