Monitoring Corporate Software Policies using Wazuh EDR and Sysmon.

Intro

When a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.

Execution Prevention (M1038) is mitigation in Mitre aiming to block code execution on a system through application control and/or script blocking.

The techniques addressed by M1038 and related to application control are:

T1547 Boot or Logon Autostart Execution

T1059 Command and Scripting Interpreter

T1546 Event Triggered Execution

T1564 Hide Artifacts

T1574 Hijack Execution Flow

T1036 Masquerading

T1106 Native API

T1219 Remote Access Software

T1129 Shared Modules

T1553 Subvert Trust Controls

T1218 System Binary Proxy Execution

T1216 System Script Proxy Execution

T1080 Taint Shared Content

T1127 Trusted Developer Utilities Proxy Execution

T1204 User Execution

T1047 Windows Management Instrumentation

Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization’s written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, application control mechanisms help prevent such per-user apps from running.

In this blog entry, we’ll examine different options to implement this mitigation in a “block and report” or “monitor and alert” strategy.

M1038 Using Microsoft AppLocker

AppLocker is included with enterprise-level editions of Windows.

With AppLocker an administrator can define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. Defining rules based on the file path and hash is also supported.

Rules can be assigned to a security group or an individual user.

Finally, exceptions to rules can also be defined, so, for example, users can be allowed to run all Windows binaries except the Registry Editor (regedit.exe).

All AppLocker activity and events are recorded in the Windows Event Log, and therefore it’s possible to record events from all agents in a SIEM.

Some relevant event IDs are:

8003 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. (exe or dll files)

8004 Error *<File name> * was not allowed to run. (exe or dll)

8005 Information *<File name> * was allowed to run

8006 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. (msi or scripts)

8007 Error *<File name> * was not allowed to run. Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. (msi or scripts)

Using Wazuh EDR agent, these events can be easily enabled (agent) and decoded and alerted on (manager).

M1038 Using commercial Endpoint Protection Software.

Most endpoint protection solutions include an application control module where monitoring-only or blocking modes are supported.

SOCFortress partners with WithSecure (F-Secure Business), and their application control module prevents the execution and installation of applications and prevents them from running scripts.

WithSecure Application Control reduces the risks that malicious, illegal, and unauthorized software pose in the corporate environment.

Policy rules allow defining exceptions or whitelists where executable files, DLLs, MSIs packages, scripts, etc., will be granted execution permissions.

All application control activity and telemetry generated by the WithSecure EPP agent is collected and sent to the Wazuh manager for analysis and alerting. More info here.

M1038 Using Sysmon.

More details on the Wazuh integration covered in this section can be found in our Github repo.

Sysmon Event ID 1 (Process Creation) includes telemetry that identifies software vendor, product, etc.:

Sysmon Event ID 1 — Process Creation
Process / App Info: Vendor, Product, Version, etc.

The agent inventory script (more info here) collects all software and services installed in all endpoints in the organization. A “trusted” list of software vendors can be built using the collected info:

Agent Inventory — Installed Software by software vendor.

Using CDB lists in Wazuh Manager and creating detection rules matching the software vendor metadata against the list of trusted vendors, alerts can be raised when untrusted processes/applications are executed and logged by Sysmon:

Alerts on processes not included in trusted list

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).