This blog post is currently a WIP.
As I was completing WithYouWithMe’s Cyber Analyst Course, I decided to do a quick write-up to summarise what I learnt.
Please reference the Australian Cyber Security Centre’s guide to hardening Windows 10 workstations as you follow through this blog post.
For the purposes of this exercise, I will be using Windows 10 Pro (due to difficulty of finding a Windows 10 Enterprise ISO) on a VirtualBox instance. Please do not conduct any hardening exercises on your production environment.
As Murphy’s Law states, anything that has the possibility to go wrong, will go wrong.
Application whitelisting aims to prevent unauthorised executables from running on a computer. There are multiple ways to whitelist applications; two examples include:
- Checking hashes of potentially malicious files (DLLs, EXEs, etc)
- Approving certain filepaths with privileged access required to write to those filepaths.
Attack Surface Reduction (ASR)
ASR is an advanced feature of Windows Defender and the following information can be skipped if you are using a 3rd party endpoint protection system.. Commercial endpoint protection systems have similar features though you will need to refer to their documentation.
Using the Group Policy Editor snap-in in the Microsoft Management Centre (MMC) navigate to “Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction”. Double click “Configure Attack Surface Reduction rules” and change the rule from “Not configured” to “disabled”. On the left side panel click “Show…” and add the following as necessary.
|Block executable content from email client and webmail||BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550|
|Block all Office applications from creating child processes||D4F940AB-401B-4EFC-AADC-AD5F3C50688A|
|Block Office applications from creating executable content||3B576869-A4EC-4529-8536-B80A7769E899|
|Block Office applications from injecting code into other processes||75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84|
|Block execution of potentially obfuscated scripts||5BEB7EFE-FD9A-4556-801D-275E5FFC04CC|
|Block Win32 API calls from Office macro||92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B|
|Block executable files from running unless they meet a prevalence, age, or trusted list criteria||01443614-cd74-433a-b99e-2ecdc07bfc25|
|Use advanced protection against ransomware||c1db55ab-c21a-4637-bb3f-a12568109d35|
|Block credential stealing from the Windows local security authority subsystem (lsass.exe)||9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2|
|Block process creations originating from PSExec and WMI commands||d1e49aac-8f56-4280-b9ba-993a6d77406c|
|Block untrusted and unsigned processes that run from USB||b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4|
|Block Office communication applications from creating child processes||26190899-1602-49e8-8b27-eb1d0a1ce869|
|Block Adobe Reader from creating child processes||7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c|
Please refer to Microsoft’s documentation on ASR for limitations and uses of ASR rules.