Implementing and validating MITRE D3FEND Countermeasures using Wazuh EDR. Part I: HARDEN — PLATFORM HARDENING

SOCFortress
8 min readFeb 4, 2022

D3FEND TACTIC: Harden.

Definition

The “harden” tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.

Technique: Platform Hardening

Hardening components of a Platform with the intention of making them more difficult to exploit.

Platforms includes components such as:

  • BIOS UEFI Subsystems
  • Hardware security devices such as Trusted Platform Modules
  • Boot process logic or code
  • Kernel software components

Capabilities used to assess countermeasures:

  • Wazuh Agent Inventory Collection (more info here).
  • Wazuh Security Configuration Assessment using CIS Benchmarks (more info here).
  • Wazuh Agent and Sysinternals Autoruns (more info here).
  • Wazuh Rootcheck and Anomaly detection (more info here).
  • Wazuh File Integrity Monitoring (more info here).
  • Wazuh System and Software Vulnerability Detection (more info here).

Sub-technique Bootloader Authentication

Definition

Cryptographically authenticating the bootloader software before system boot.

Synonyms: Secure Boot .

Implementing / Validating the countermeasure:

The inventory script collects disk partitions info and evaluates the boot partition type to assess if secure boot is enabled on the system.

Sub-technique Disk Encryption

Definition

Encrypting a hard disk partition to prevent cleartext access to a file system.

Implementing / Validating the countermeasure:

The inventory script collects Bitlocker status and encryption method.

Sub-technique Driver Load Integrity Checking

Definition

Ensuring the integrity of drivers loaded during initialization of the operating system.

How it works

This technique can be accomplished in a number of ways:

A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first.

Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public.

Considerations

  • The private keys to sign certificates as reputable companies have been stolen in the past — in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref)
  • Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.
  • It may not be difficult for an attacker to start an organization which can obtain a signed certificate.
  • A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.

Implementing / Validating the countermeasure:

Sysinternals Autoruns integration in Wazuh (see here for details on how to)

Autoruns evaluates all windows registry keys loaded at boot time and checks file hashes against Virus Total:

Autoruns outputs the registry keys grouped by categories:

Drivers and DLLs loaded at boot time are also checked against digital signatures and their validity.

Sub-technique File Encryption

Definition

Encrypting a file using a cryptographic key.

How it Works

Files are encrypted using either a single key for both encryption and decryption or separate keys. Single key encryption is symmetric encryption and using two key distinct keys is asymmetric encryption.

Symmetric Cryptography

Symmetric encryption uses the same cryptographic key for both the encryption and decryption a file. Managing keys at scale sometimes uses asymmetric key exchange protocols such as Diffie-Hellman can be used to share the symmetric cryptographic key with the others.

Asymmetric Cryptography

Asymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. Files are encrypted using the public key and decrypted using their private key. Asymmetric encryption is typically slower than symmetric encryption and not widely used for large file encryption, but is popular for key wrapping, key exchanges, and digital signatures.

Considerations

  • Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.
  • Secure transfer of private keys between multiple devices.

Implementing / Validating the countermeasure:

Use Windows EFS with Enterprise Certification Authority and log events related to the recovery agent.

CIS Benchmarks:

17.7.5 (L1) Ensure ‘Audit Other Policy Change Events’ is set to include ‘Failure’ (Automated)

This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.

Sub-technique LOCAL FILE PERMISSIONS

Definition

Restricting access to a local file by configuring operating system functionality.

CIS BENCHMARKS

These are some of the controls included in the CIS Benchmarks that can be used to assess file permissions settings:

2.2.10 — Ensure ‘Back up files and directories’ is set to ‘Administrators’ (Scored)

2.2.13 — Ensure ‘Create a pagefile’ is set to ‘Administrators’ (Scored)

2.2.16 — Ensure ‘Create permanent shared objects’ is set to ‘No One’ (Scored)

2.2.17 — Ensure ‘Create symbolic links’ is set to ‘Administrators’ (DC only) (Scored)

2.2.45 — Ensure ‘Restore files and directories’ is set to ‘Administrators’ (Scored)

2.2.48 — Ensure ‘Take ownership of files or other objects’ is set to ‘Administrators’ (Scored)

2.3.17.8 — Ensure ‘User Account Control: Virtualize file and registry write failures to per-user locations’ is set to ‘Enabled’ (Scored)

17.6.1 — Ensure ‘Audit Detailed File Share’ is set to include ‘Failure’ (Scored)

17.6.2 — Ensure ‘Audit File Share’ is set to ‘Success and Failure’ (Scored)

18.9.52.1 — Ensure ‘Prevent the usage of OneDrive for file storage’ is set to ‘Enabled’ (Scored)

19.7.26.1 — Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’ (Scored)

19.7.45.2.1 — Ensure ‘Prevent Codec Download’ is set to ‘Enabled’ (Scored)

Implementing / Validating the countermeasure:

Wazuh’s Security Configuration Assessment with CIS Benchmarks

The output of the SCA for each agent is stored in a SQLite DB that can be exported (CSV, for example) for reporting purposes, if required.

Continuous evaluation of file permissions can be done using Wazuh’s rootcheck implementation. Rootcheck analyses file permissions and the host-based anomaly detection module will alert on files owned by root but with written permissions to anyone:

Files owned by root with open permissions to anyone.
NTFS alternate data detected.

For Windows systems, as shown above, the anomaly detection module will alert on possible hidden content by evaluating NTFS alternate data.

Wazuh’s File Integrity Module collects file permissions for all files added or modified. Using Wazuh’s detection rules, alerts can be raised for files with file mod = 777 or any other values.

Wazuh’s FIM for continuous file permissions monitoring.

Sub-technique RF SHIELDING

Definition

Adding physical barriers to a platform to prevent undesired radio interference.

Implementing / Validating the countermeasure:

N/A

Sub-technique SOFTWARE UPDATE

Definition

Replacing old software on a computer system component.

Implementing the countermeasure:

The inventory script collects all software, software version and HotFixes installed on the system:

It also flags systems with a pending reboot after a system update.

Wazuh’s vulnerability management module alerts on system packages and installed software with known CVEs. The vulnerability module provides the package version where the vulnerability was fixed (if available).

Pending restarts after system upgrade
Pending restarts after system upgrade
Installed software, vendor and release.
Installed patches and Hotfixes.
System and Software Vulnerabilities.
Vulnerable packages status.

Sub-technique SYSTEM CONFIGURATION PERMISSIONS

Definition

Restricting system configuration modifications to a specific user or group of users.

Implementing / Validating the countermeasure:

Wazuh’s Security Configuration Assessment with CIS Benchmarks

The output of the SCA for each agent is stored in a SQLite DB that can be exported (CSV, for example) for reporting purposes, if required.

CIS BENCHMARKS — WINDOWS SERVER 2019
AUDIT RESULT — LEVEL 1 + LEVEL 2 CONTROLS

Sub-technique TPM BOOT INTEGRITY

Definition

Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).

Synonyms: Static Root of Trust Measurement , and STRM .

How it works

During the boot process, the BIOS boot block (which with this defense enabled, is the Core Root of Trust for Measurement) measures boot components (firmware, ROM). The TPM hashes those measurements and stores the hashes in Platform Configuration Registers (PCRs). Upon a subsequent boot, these hashes are provided to a verifier which compares the stored measurements to the new boot measurements. Integrity of the boot components is assured if they match.

Attestation of the secure boot occurs when a verifying entity requests a Quote which is a concatenation of the requested PCR values, hashed and signed by the TPM’s unique RSA key. The TPM signature is trusted because the private key is stored securely in hardware and never leaves the TPM.

Considerations

  • The TPM does not perform the follow-on actions of acting on the PCR value information, it just provides the PCR stored information.
  • The current version of TPM is 2.0.; most existing implementations use TPM 1.2.

Implementing / Validating the countermeasure:

The inventory script evaluates if UEFI is enabled on the system.

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).