fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Sysmon can Now Block Malicious EXEs from being Created

Microsoft Sysmon can Now Block Malicious EXEs from being Created

Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.

This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria, such as the file path, whether they match specific hashes, or are dropped by certain executables.

For example, if you have a list of known malware hashes, you can configure Sysmon to block the creation of executables matching those hashes. Or, if you want to prevent malicious Office attachments from dropping malware, you can stop the creation of executables from Word or Excel.

Also Read: Accountability Obligation: What every Organization should know

Blocking executable creation in Sysmon

For those not familiar with Sysmon, or System Monitor, it is a free Microsoft Sysinternals tool that can monitor systems for malicious activity and log events to the Windows Event Log.

Sysmon will monitor basic events such as process creation and file time changes by default to Event viewer. However, it is possible to create a custom configuration file containing advanced options that determines what Sysmon monitors or blocks.

Users can find the complete list of directives in the Sysmon schema, which can be viewed by running the sysmon -s command at the command line.

The current Sysmon schema is version 4.82, which now includes the ‘FileBlockExecutable’ configuration option to block the creation of executables based on their path, name, hash, and the program trying to create the files, as shown below.

New FileBlockExecutable configuration directives
New FileBlockExecutable configuration directives

For example, to prevent Microsoft Office applications from creating new executable files, you can use this rule shared by Olaf Hartong in his great writeup on the latest version of Sysmon.

Also Read: 13 phishing attack types and how to protect your business against them

This rule, shown below, will block the creation of any executable by Excel, Word, PowerPoint, Outlook, Access, or Publisher and log any events to the Event Log under the name “technique_id=T1105,technique_name=Ingress Tool Transfer.”

Rule by Olaf Hartong to prevent Office apps from creating executables
Rule by Olaf Hartong to prevent Office apps from creating executables

To start Sysmon and direct it to use the above configuration file, you would execute the sysmon -i command and pass the configuration file’s name.

In our example, the configuration file’s name is msoffice-fileblock.xml, so we would use the following command from an Administrative Command Prompt to start Sysmon:

sysmon -i msoffice-fileblock.xml

Once started, Sysmon will install its driver and begin collecting data quietly in the background.

All Sysmon events will be logged to ‘Applications and Services Logs/Microsoft/Windows/Sysmon/Operational‘ in the Event Viewer.

With the FileBlockExecutable feature enabled, when an executable is created and matches a rule, Sysmon will block the file and generate an ‘Event 27, Sysmon’ entry in Event Viewer.

For example, when testing this feature, we specified not to allow the creation of executables in the C:\ProgramData folder, which is commonly done by malware droppers.

Block the creation of executables in C:\ProgramData
Block the creation of executables in C:\ProgramData
Source: BleepingComputer

We then attempted to copy C:\Windows\notepad.exe to C:\ProgramData, triggering the following event log when the file creation was blocked.

Event 27 - File Block Executable
Event 25 – Process Tampering

The created Event Log entries will contain a lot of valuable information, explained below:

  • ProcessID: The PID of the process attempting to create the file.
  • User: The user associated with the process creating the file.
  • Image: The filename of the program creating the file.
  • TargetFilename: The file that was blocked from being created.
  • Hash: The SHA256 hash of the file that was being created.

Hartong says that Sysmon will determine if a file is an executable based on the file header. Therefore, Sysmon will also block DLL and SYS executables as they utilize the same MZ file header.

For those who want a premade Sysmon configuration file that uses this feature to block known malware and hack tools, you can use one created by security researcher Florian Roth.

Feature bypassed already

While this is a very useful feature, it should not be seen as 100% secure, as security researcher Adam Chester has already come up with a method to bypass the FileBlockExecutable directive.

Therefore, while it’s useful for monitoring and blocking malware, it should not be the only protection you rely on.

Learn more about Sysmon

For those who want to learn more about Sysmon, it is strongly recommended that you read the documentation on Sysinternals’ site and play around with the various configuration options.

Unfortunately, Sysmon is not a well-documented program, requiring users to play with the various directives to see how they work and what events are written to the event log.

It is also highly recommended to read Olaf Hartong’s blog posts about Sysmon, as he documents the new features as they are released.

Finally, admins can use or read through the premade Sysmon configuration files from Florian Roth and SwiftOnSecurity to see how directives can be used to block malware.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us