Monitoring Corporate Software Policies using Wazuh EDR and Sysmon.
When a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
Execution Prevention (M1038) is mitigation in Mitre aiming to block code execution on a system through application control and/or script blocking.
The techniques addressed by M1038 and related to application control are:
T1547 Boot or Logon Autostart Execution
T1059 Command and Scripting Interpreter
T1546 Event Triggered Execution
T1564 Hide Artifacts
T1574 Hijack Execution Flow
T1106 Native API
T1219 Remote Access Software
T1129 Shared Modules
T1553 Subvert Trust Controls
T1218 System Binary Proxy Execution
T1216 System Script Proxy Execution
T1080 Taint Shared Content
T1127 Trusted Developer Utilities Proxy Execution
T1204 User Execution
T1047 Windows Management Instrumentation
Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization’s written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, application control mechanisms help prevent such per-user apps from running.
In this blog entry, we’ll examine different options to implement this mitigation in a “block and report” or “monitor and alert” strategy.
M1038 Using Microsoft AppLocker
AppLocker is included with enterprise-level editions of Windows.
With AppLocker an administrator can define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. Defining rules based on the file path and hash is also supported.
Rules can be assigned to a security group or an individual user.
Finally, exceptions to rules can also be defined, so, for example, users can be allowed to run all Windows binaries except the Registry Editor (regedit.exe).
All AppLocker activity and events are recorded in the Windows Event Log, and therefore it’s possible to record events from all agents in a SIEM.
Some relevant event IDs are:
8003 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. (exe or dll files)
8004 Error *<File name> * was not allowed to run. (exe or dll)
8005 Information *<File name> * was allowed to run
8006 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. (msi or scripts)
8007 Error *<File name> * was not allowed to run. Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. (msi or scripts)
Using Wazuh EDR agent, these events can be easily enabled (agent) and decoded and alerted on (manager).
M1038 Using commercial Endpoint Protection Software.
Most endpoint protection solutions include an application control module where monitoring-only or blocking modes are supported.
SOCFortress partners with WithSecure (F-Secure Business), and their application control module prevents the execution and installation of applications and prevents them from running scripts.
WithSecure Application Control reduces the risks that malicious, illegal, and unauthorized software pose in the corporate environment.
Policy rules allow defining exceptions or whitelists where executable files, DLLs, MSIs packages, scripts, etc., will be granted execution permissions.
All application control activity and telemetry generated by the WithSecure EPP agent is collected and sent to the Wazuh manager for analysis and alerting. More info here.
M1038 Using Sysmon.
More details on the Wazuh integration covered in this section can be found in our Github repo.
Sysmon Event ID 1 (Process Creation) includes telemetry that identifies software vendor, product, etc.:
The agent inventory script (more info here) collects all software and services installed in all endpoints in the organization. A “trusted” list of software vendors can be built using the collected info:
Using CDB lists in Wazuh Manager and creating detection rules matching the software vendor metadata against the list of trusted vendors, alerts can be raised when untrusted processes/applications are executed and logged by Sysmon: