Healthcare Online User Group

 View Only
Back to Library

Block and detect advanced threats using Symantec application control rules 

Mar 13, 2018 11:38 AM

New version 6:

https://github.com/Gl3bGl4z/SEP_advanced_application_control/

 

______________________________________________

Get the most out of your standard SEP installation!

version 5 - APRIL 2019

 

application control rules which cover most of the malware and ATP detection and protection.

These rules were created after an intence study of discovered advanced attacks which breach organizations.

These rules were implemented in a 5000+ hosts organization up untill version 4.

 

Thats a diagram that I have made which is the basis on which I am building my rules

 

******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********

After you get rid of the false positives:

1) make it "production" and change all rules to CONTINUE WITH LOGGING

2) Monitor the events to make nessasary false positive exclutions

3) Each rule that has 0 false positives after a week or so - start changing the rules to "block"

Hope it helps you all!!

______________________________________________________________________________________________

ATP attack incidents that would fail if they used SEP with these rules:

https://www.scmagazineuk.com/muddywater-apt-campaign-flowing-again-targets-us-near-east/article/750526/ - March 13, 2018

https://www.securityweek.com/china-linked-spies-used-new-malware-uk-government-attack - March 12, 2018

https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions28 Feb, 2018

______________________________________________________________________________________________

 

RULES:

Protect missuse of user folders

detect UAC change

added more LOLBINS protection

Protect startup entries

prevent vulnerable adobe apps from running SCRIPTS

prevent cmd from launching batch files or scripts

LOG scripts that access documents

prevent cscript and wscript from launching CMD or POWERSHELL

prevent OFFICE apps from launching scripts, hta, cmd, scr, wmic

log office access to executables

prevent browsers from running scripts, cmd

log browsers access to executables

prevent winrm from launching processes or accessing files

prevent powershell from launching regsvr32.exe

prevent procecces from launching powershell with arguments that download files or run in silent, unrestricted and more

prevent proccesses from deleting shadow copies

prevent applications from running scripts from TEMP, APPDATA and more

block known unwanted upplications like utorrent, dameware, lastpass and log cracks, serials and more

block launching of psexec --- (can be done also using IPS by the way to block literal movement)

block some fileless malware from download and execution using powershell

block creation and execution of scripts and executables from common malware related locations

block java from running generic edwind variants

Statistics
0 Favorited
5 Views
2 Files
0 Shares
2 Downloads
Attachment(s)
Download All
zip file
APD_Gl3bGl4z.zip   31 KB   1 version
Uploaded - Feb 25, 2020
 
Download
zip file
glebglaz APD generic protection.zip   26 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Comments

israsource1
Jul 27, 2019 02:57 PM

Hi, there will always be false positives as people need to adjust to their environment and do a slow "migration" from alerting to blocking.

In this version I did a big change in order to lower the false positives rates + give an option to use less global rules.

Also, You can just take rules one by one and use anything that you will from my rules.

 

You can read the documentation - I suggest there to go slow, start small

Sulman Mushtaq Mushtaq Hussain
Jul 25, 2019 01:42 AM

Hello isra, is the most recent version? Are there any false positives with this? 

israsource1
Jul 24, 2019 12:56 PM

The new version:

 

https://github.com/Gl3bGl4z/SEP_advanced_application_control

israsource1
Jul 20, 2019 05:35 PM

I am going to release a new version soon with some major changes after feedbacks that I received.

There are many changes in the new version that let the user deside to go for full zero trust or more threat hunting aproach with lower false positives.

 

WIll update as soon as possible

Sulman Mushtaq Mushtaq Hussain
Apr 04, 2019 05:56 AM

Can you attach the updated version again please. Thanks

israsource1
Apr 03, 2019 09:04 AM

Thanks for the warm feedback. This is enough for me ;)

 

Hope you like the updated version, I made some major changes to consolidate rules, hope it won't be too hard to implement.

 

Enjoy

Amoeba Pillow
Sep 11, 2018 12:22 PM

Thanks @israsource1, I have been researching and looking to develop a policy like this. This is a very clean Application and Device Control policy covering a nice array of endpoint hardening capabilities within ADC.

 

Symantec offer this person a job, pin this and add it or something similar to the included ADC rules in the next distro, please. Policies like this are what make SEPM one of the best EPP's on the market IMO and even why Gartner keep it in the "Magic Quadrant". The capabilities of SEP are so vast yet very scary to the average admin who comes in not truly understanding the extent of what SEP can accomplish and control.

 

Including rules which users (obviously QA and vet them) and the Symantec Engineers create into the releases should be a standard and can only serve to strengthen End User and Enterprise adoption.

Sulman Mushtaq Mushtaq Hussain
Aug 23, 2018 05:36 PM

Hello Isra. Thanks for sharing this . Is there any updated version on their policy ?
Also do you have more policies with regards to SEP that you can share ? Appreciate it. Thanks

ins007
Apr 12, 2018 01:06 PM

Thanks for sharing this

 

Will have a look and try in my lab

israsource1
Mar 18, 2018 03:29 AM

Tested on 17.3.2018:

Blocks Emotet family

Blocks Edwin RAT family

Blocks Qrypter RAT family

Related Entries and Links

No Related Resource entered.