Updated the rules - version 3
I am using this thread to share with you my application control rules which cover most of the malware and ATP detection and protection.
Used in a large healthcare enterprise - 5000+ enndpoints with SEP14
I study how advanced attacks breach organizations and impliment protections agains such attacks using applicaiton control rules as another layer of defence.
Thats a diagram that I have made which is the basis on which I am building my rules
Image may be NSFW.
Clik here to view.
******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********
After you get rid of the false positives you have two options:
1) make it production and change all rules to CONTINUE WITH LOGGING
2) Monitor the events to make nessasary false positive exclutions
3) Each rule that has 0 false positives after a week or so - start changing the rules to "block"
Hope it helps you all!!
______________________________________________________________________________________________
ATP attack incidents that would fail if they used SEP with these rules:
https://www.scmagazineuk.com/muddywater-apt-campaign-flowing-again-targets-us-near-east/article/750526/ - March 13, 2018
https://www.securityweek.com/china-linked-spies-used-new-malware-uk-government-attack - March 12, 2018
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions - 28 Feb, 2018
______________________________________________________________________________________________
RULES:
prevent vulnerable acrobat apps from running SCRIPTS
prevent cmd/vb from launching batch files or scripts
LOG scripts that access documents
prevent cscript and wscript from launching CMD or POWERSHELL
prevent OFFICE apps from launching scripts, hta, cmd, scr, wmic
log office access to executables
prevent browsers from running scripts, cmd
log browsers access to executables
prevent winrm from launching processes or accessing files
prevent powershell from launching regsvr32.exe
prevent procecces from launching powershell with arguments that download files or run in silent, unrestricted and more
prevent proccesses from deleting shadow copies
prevent applications from running scripts from TEMP, APPDATA and more
wannacry protection
block known unwanted upplications like utorrent, dameware, lastpass and log cracks, serials and more
block launching of psexec --- (can be done also using IPS by the way to block literal movement)
block some fileless malware from download and execution using powershell
block creation and execution of scripts and executables from common malware related locations