Careful adversaries who bothers with Opsec will check, the question is with what techniques when foreign executable-files are denied.
Outcomes
Improve Signal-to-Noise Ratio
Based on Symantec's 2019 survey, there's a 20% chance (should be higher now) that the Malware will stop just purely with Fake-Sandbox.
100% denial of executable-files written by non-privileged processes.
When file-write ACL control is somehow evaded & runs, process check kicks-in & reboot terminal to clean state.
100% of non-obfuscated Office-Macro will be stripped.
Most commonly abused scripting extensions are associated with notepad.exe, showing the files instead of executed.
Child processes from Office apps are blocked at two layers: Microsoft Attack-Surface Reduction rules & OpenEDR agent
I pioneered in a number technical deployments of larger-scale (a few hundred Ks Events-Per-Sec) Security Ops-Center for my workplace. Many SOCs that are stuck with "SIEM 1.0" are still wasting time with "noise".
I have done some profiling for various MS-Office version-applications, have yet to see Word, Excel & Powerpoint creating a child process. Only Office setup/licensing process was sighted to create child processes.
Living-off-the-Land Techniques will Stick Out
Let's say Advance-Persistent-Threat Actors get into the endpoint & establish C2, all without touching the disk...
OpenEDR will deny writable EXE/DLL upon file-write & process-create.
Actors cornered to use LOL binaries or scripts, trips new Sequence & CommandLine cluster detection.
What & Why
eg. purpose-built terminals like Info-boards/signages, hospital-terminals running web apps...
Eg. check emails, surf/use web-apps, printing & so on
Let's turn the table!
How
Install OpenEDR Backend & Frontend
eg. WWW_PC1
.Install Reboot-to-Restore Tools
Turn Internet Kiosk into a "Malware Analysis Sandbox"
Outcomes
Improve Signal-to-Noise Ratio
I pioneered in a number technical deployments of larger-scale (a few hundred Ks Events-Per-Sec) Security Ops-Center for my workplace. Many SOCs that are stuck with "SIEM 1.0" are still wasting time with "noise".
I have done some profiling for various MS-Office version-applications, have yet to see Word, Excel & Powerpoint creating a child process. Only Office setup/licensing process was sighted to create child processes.
Living-off-the-Land Techniques will Stick Out
Let's say Advance-Persistent-Threat Actors get into the endpoint & establish C2, all without touching the disk...
Sense-making is not just about products but methodology & tooling to provide clear awareness of your assets' profiles.
What's Next
What if you really like this idea but don't operate a fleet of "kiosk"? What about non-technical office or even remote work-force?