The checks done by OpenEDR are based on file-extension. It is plausible that cleverer actors may evade by writing or embedding office macro-files in such a way gets around macro-stripping (eg. password encrypted), or we can be operating in an environment where certain macros are allowed. Since Microsoft offers comprehensive set of ASR rules, we should use it to our advantage without the complexity of dealing with AD GPO & other complex configuration.
Block executable content from email client and webmail
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 (<- rule ID) because OpenEDR does not monitor email & webmail.
Block all Office applications from creating child processes
D4F940AB-401B-4EFC-AADC-AD5F3C50688A because OpenEDR kills after process is created whereas this blocks but there are ways to evade as eluded in the last link.
Skip Block Office applications from creating executable content
Because OpenEDR strips macro, even if it is evaded, exe/dll will be subjected to ACL denial & even if that is evaded, there are ASR & OpenEDR monitoring to ensure no child process is created.
Block Office applications from injecting code into other processes
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 because OpenEDR is not capable of monitoring that code injection from macro.
Skip Block JavaScript or VBScript from launching downloaded executable content
Because OpenEDR will set denial ACL rule to downloaded exe/dll files.
Block execution of potentially obfuscated scripts
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC because OpenEDR only detect LOL binaries & scripts but not block.
Block Win32 API calls from Office macros
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B because OpenEDR cannot stop this in an event of macro-strip evasion or macro-allowed configuration.
Skip Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Because OpenEDR rejects "foreign" EXE/DLL. As eluded Sevagas's paper, allowing executable will defeat these rules.
Skip Use advanced protection against ransomware
It scans executable file for similarity assessment to known ransomware. OpenEDR will stop foreign EXE/DLL unless detectOnly mode was turned-on.
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 useful especially when remote Code-Execution (disrupt Lateral Movement) has injected into another SYSTEM process & subsequently steals from lsass.exe.
Block process creations originating from PSExec and WMI commands
d1e49aac-8f56-4280-b9ba-993a6d77406c useful disruption to common Lateral Movement techniques.
Block untrusted and unsigned processes that run from USB
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 useful even though OpenEDR will kill the process since the file will unlikely be owned by SYSTEM, TrustedInstaller or Administrators Group.
Block Office communication application from creating child processes
26190899-1602-49e8-8b27-eb1d0a1ce869 useful for Outlook hardening. OpenEDR will report if somehow this rule is evaded since it almost certain create a new unusual process lineage sequence.
Block Adobe Reader from creating child processes
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c largely related to Adobe reader exploits. OpenEDR will report if somehow this rule is evaded since it almost certain create a new unusual process lineage sequence.
Block persistence through WMI event subscription
e6db77e5-3df2-4cf1-b95a-636979351e5b good since OpenEDR can only report a novel WMI command &/or sequence.
jymcheong
commented
4 years ago
Why
The checks done by OpenEDR are based on file-extension. It is plausible that cleverer actors may evade by writing or embedding office macro-files in such a way gets around macro-stripping (eg. password encrypted), or we can be operating in an environment where certain macros are allowed. Since Microsoft offers comprehensive set of ASR rules, we should use it to our advantage without the complexity of dealing with AD GPO & other complex configuration.
Which one & why?
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
Block executable content from email client and webmail
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550(<- rule ID) because OpenEDR does not monitor email & webmail.Block all Office applications from creating child processes
D4F940AB-401B-4EFC-AADC-AD5F3C50688Abecause OpenEDR kills after process is created whereas this blocks but there are ways to evade as eluded in the last link.Skip Block Office applications from creating executable content
Because OpenEDR strips macro, even if it is evaded, exe/dll will be subjected to ACL denial & even if that is evaded, there are ASR & OpenEDR monitoring to ensure no child process is created.
Block Office applications from injecting code into other processes
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84because OpenEDR is not capable of monitoring that code injection from macro.Skip Block JavaScript or VBScript from launching downloaded executable content
Because OpenEDR will set denial ACL rule to downloaded exe/dll files.
Block execution of potentially obfuscated scripts
5BEB7EFE-FD9A-4556-801D-275E5FFC04CCbecause OpenEDR only detect LOL binaries & scripts but not block.Block Win32 API calls from Office macros
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7Bbecause OpenEDR cannot stop this in an event of macro-strip evasion or macro-allowed configuration.Skip Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Because OpenEDR rejects "foreign" EXE/DLL. As eluded Sevagas's paper, allowing executable will defeat these rules.
Skip Use advanced protection against ransomware
It scans executable file for similarity assessment to known ransomware. OpenEDR will stop foreign EXE/DLL unless detectOnly mode was turned-on.
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2useful especially when remote Code-Execution (disrupt Lateral Movement) has injected into another SYSTEM process & subsequently steals fromlsass.exe.Block process creations originating from PSExec and WMI commands
d1e49aac-8f56-4280-b9ba-993a6d77406cuseful disruption to common Lateral Movement techniques.Block untrusted and unsigned processes that run from USB
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4useful even though OpenEDR will kill the process since the file will unlikely be owned by SYSTEM, TrustedInstaller or Administrators Group.Block Office communication application from creating child processes
26190899-1602-49e8-8b27-eb1d0a1ce869useful for Outlook hardening. OpenEDR will report if somehow this rule is evaded since it almost certain create a new unusual process lineage sequence.Block Adobe Reader from creating child processes
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2clargely related to Adobe reader exploits. OpenEDR will report if somehow this rule is evaded since it almost certain create a new unusual process lineage sequence.Block persistence through WMI event subscription
e6db77e5-3df2-4cf1-b95a-636979351e5bgood since OpenEDR can only report a novel WMI command &/or sequence.How
Powershell Cmdlet
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#powershell
Check if Cmdlet exist: https://stackoverflow.com/a/3919904
Evasions
https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf