This webcast was originally published on April 21, 2019.
In this video, the speakers discuss the implementation and benefits of using AppLocker and Sysmon for enhancing security in IT environments. They demonstrate how to set up and configure both tools, and explain how they can prevent unauthorized applications from running and provide detailed logging of system activity. The video highlights the importance of these tools in preventing malware attacks and improving the overall security posture of an organization.
- Sysmon and AppLocker are critical tools for improving security through monitoring and application whitelisting.
- Sysmon provides detailed logging of system activities, enhancing the detection of malicious activities.
- AppLocker helps in preventing unauthorized applications from running, significantly reducing security risks.
Highlights
Full Video
Transcript
John Strand
All right, everybody, welcome to our webcast on AppLocker and Sysmon. So the reason why this is awkward, other than the fact that I’ve been sitting in this chair and it’s very hard, is we’ve been talking about doing AppLocker and Sysmon and almost every single webcast from a recommendations perspective, we’re like, well, you should use whitelisting.
Hey, you should use Sysmon because event logging sucks. And even in our last webcast that we did with Jordan, we talked about it briefly and setting it up, and we’ve never had a webcast on that topic.
So in this webcast, we’re going to go through talk about AppLocker, we’re going to talk about Sysmon. I’ll, go through implementation of both live, and then we’ll talk about deployment strategies for applocker and sysmonization.
This is also key, especially for our customers at Black Hills Information security because these two recommendations show up all the time in our pen test reports. Also on this webcast, we have a number of people that are answering questions in the chat.
So if you have a question, a technical question, you can ask somebody who actually is competent from a technical perspective and not just somebody who’s really good at talking into a camera. So ask your questions and we will be answering them.
Jason, what is the record so far for the number of answered questions in a webcast?
Jason Blanchard
240 and 57 minutes.
John Strand
240 and 57 minutes. That’s free consulting, folks. So, take advantage of it. We have a lot of testers here. We’ve got CJ here. We’ve, got Jason here. So we’re all over the place, as always.
This is brought to you by backdoors and breaches. It’s coming up in September, so please type in backdoors and breaches in the questions window. And we will, throw out, link whenever we’re done and we get it up someplace where we can sell it and you can order a copy.
we’re trying really hard to not make money at back doors and breaches, just to be honest. we’re probably going to charge like $20 for two decks and a set of dice to, go with it.
We’re looking into what that’s actually going to be, and, it’ll be free at every single conference that we attend. So if you don’t want to pay for it, just come to a con, come up to our table and grab a copy, and we will hand it out.
I was playing it, quite a bit in RSA, not RSA, at black hat and then at Defcon, I got to play a whole bunch of games and people seemed to enjoy it. And then Bebe went through the entire deck and pointed out all the misspellings, that were in the deck.
And, he didn’t like words like, What was that word? There was a word.
Jason Blanchard
He said it was a bit asinine.
John Strand
Asinine? Yeah, he said it was a bit, bit harsh. but we’re keeping that word. but everything else he said was fantastic. Great feedback from him at Dakota that’ll be making it in, and it will be available at Derbycon and will, definitely be available at Wild West Hack invest.
So if you want a free copy, go to get a ticket for Wild west hack invest. Also, this webcast is brought to you by Black Hills information security. We do pen testing, red teaming, hunt teaming, webcasts, open source tools, blogs, and we also now do incident response.
And, if you are in the middle of an incident, you got a problem, please contact us. We’re happy to assist any way we possibly can. It’s also brought to you by AI Hunter.
And we added in a bunch of really cool features in AI hunter. We added in, investigation every single IP address you can click on it and open up additional websites or go into deep dive and do research on those IP addresses.
We’ve set up beacon thresholds for alerting so you can, that’s a beacon of like less than 50%, less than 75, less than 80%. So you can view it. Also exporting results.
We now have that, set up very well. A couple of bug fixes. We got syslog. We had a couple of bugs with syslog and slack alerting that was fixed. So we got version 3.4 if you are interested and you want to sit down and actually have an hour where I can talk about Rita, which is the open source free tool for threat hunting that we’ve created, or AI.
hunter, just type in demo and I will personally contact you and we will set up a demo at some point in the future because I’m not traveling as much as I used to travel, so that’s just fantastic.
Also brought to you by wild west hack invest. The training starts, the 22 October, and the conference begins the 23rd through the 25th. we say that this is the most hands on hacking conference in the world.
It’s not true. It’s one of the most hands on hacking conferences in the world. Defcon has a lot of amazing hands on labs. However, for the size, can’t beat it. we have a wireless as hacking village, Sdr hacking village.
We’ve got embedded device hacking. We have, I think, the only hall of doors. We have this challenge where you have to break in to multiple different door types, from using, full on shims to key picking, or from, to lock picking to electronic bypass.
It’s all there. And we also provide everybody with a Chuck Wigan steak dinner. So check it out. It’s going to be a lot of fun. And I will personally be exhausted. So let’s get in.
We’ve got a problem statement. Trying to get better at these webcasts and kind of setting the stage a little bit, before we get started. So the problem statement is when you’re looking at something as daunting as the Mitre ATT and CK technique matrix, and this thing is getting way, way, way bigger all the time.
In fact, most vendors that you saw on the floor at Black Hat, had at least some mention of the Mitre ATT and CK technique matrix, especially on the enterprise side. And we get into a problem where a bunch of vendors look at this and they’re like, hey, we should totally come up with a product that stops a lot of these attacks and charge people a bajillion dollars for stopping a lot of these attacks.
And that’s a problem because there’s a lot of free things that you can do. In fact, just good hygiene that you should be doing as part of shutting down a lot of these different attacks, or at least alerting on these attacks.
And I think this webcast will help deal with the problem of how hard it is to detect a lot of these different types of attacks, lateral movement, defensive evasion techniques, especially whenever you don’t have proper logging in place.
In fact, even with proper quote unquote event logging, you’re not going to detect a lot of these attacks. So that’s where Sysmon comes in. And when we get into, AppLocker and we get into application whitelisting, it’ll actually stop a large number of these attacks, not all of them.
We’re going to talk about some bypass techniques a little bit later. But honestly, whenever you move into the application whitelisting realm, a whole bunch of different attack techniques just fall off the table immediately.
So let’s get started. So the executive problem statement, I always like to come up with questions. So when you’re dealing with executives at your organization, how can you actually frame things properly? So are our tools currently working, what can we detect?
And we had the same slide, a couple of weeks ago, and I’m going to try to use this again for these are questions that you can bring to your executives and questions like, are tools working? What can we detect?
What are our gaps? Why does Microsoft logging suck so bad? It’s just so horrible. What existing tools do we have? What do we have to buy? And do we actually need to purchase something expensive?
And these are great questions that executives are going to ask you. So if you’re looking to bring in a really expensive tool set, they’re going to want to say, well, what about our existing toolset? why is the logging just horrendous in Microsoft?
It doesn’t seem like it should be that way. They’re Microsoft. Their logging should be just fine. It must be. Our it team is actually incompetent. So hopefully we can answer some of these questions. Speaking of questions, here I have a quote from the executive.
I’m going to try to put up a different quote of what this executive is actually thinking whenever I do these webcasts, and this one this week, is maybe I could take the SQL police a ship to the command headquarters to get a time pod.
So the question is, whoever can tell me the name of the video game they can type it in first that that particular executive is playing right now.
whenever we get the copies of backdoors and breaches, we will ship you out a copy of backdoors and breaches. So maybe I could take the SQL police’s ship to the command headquarters to get a time pod.
And by the way, I need the whole title. there’s a number of titles in the series. I need the actual whole title for somebody to win. And I’m sure we already have a winner.
and I don’t know why that came into my head when I was writing the slides at 04:00 a.m. that this was somehow an important thing. Let’s talk about Sysmon. Basically, windows logging is just horrific.
If you go back to our last webcast and we talk about all the different configuration settings that you need to put in place in order to do proper windows event logging, then even when you think you have it properly set up, well, you’re missing your IIs logs on your exchange servers and you can use ETW.
And is ETW actually giving you everything that you need and it just gets out of control. You may be logging a certain thing, but you may not have it configured properly to log certain things like token passing or token impersonation and active directory.
It’s bad, right? So Sysmon makes it better. And this is awesome because Sysmon allows us to set up and get like this amazing logging and it’s done in like five minutes.
This is like the heroine of information security, tools that we can actually leverage and we can use. So I’m going to go to demo because hey, why not? so I also have some backup slides there.
So the way we do this is we fire up chicken of the VNC and I hang up my phone because my brother is calling me and he should know that I’m on a webcast.
I’m going to bring up another computer. Traditionally on our webcast one of the problems we had was zooming, or lack of zooming M because gotowebinar isn’t very good with zooming at all.
Turning on sysmon is actually just super duper easy. if I zoom in here and go up, you can basically run the sysmon executable, except EULA, you can install a configuration.
Now in this particular example I am using Swift on security’s configuration for Sysmon. Specifically what that does is it does filtering. Sysmon is going to log a whole bunch of network connections, processes that are starting, processes that are shutting down.
There’s going to be a ton of processes. What we want to do is filter out the quote unquote white noise. We can get down specifically what application started and when did those applications actually start.
I’ll talk about how to actually implement this here in just a couple of moments and how you can implement it relatively easily on a domain environment. The other thing I want to call out is if you implement Sysmon, as you’re going to see here in a moment, it isn’t all that chatty.
It doesn’t generate a tremendous amount of noise, which makes it really cool. Whenever you’re trying to establish your proper logging, I’ll zoom out and I’m going to copy this specific line here because trying to type and talk makes me nervous.
I’m going to open up a command prompt on this particular computer system as administrator, right click run as administrator, then I’m going to zoom in and I’m going to cd into the tools directory and then I’m going to run Sysmon.
That’s it. That’s all Sysmon’s running. There we go. so what it basically did is it started up the Sysmon service, says it started by Mark Rosanovich who I’m pretty sure looked at the event logging in windows and like, no, that’s a train wreck.
We don’t, we don’t want to do that. we have Sysmon up and running on this computer system and now we can go to our event logs on this computer. We can see what exactly it is that Sysmon gets you.
That is so absolutely awesome. Now the event logs that you normally get are application security setup, system forwarded events. That’s what we have up here in the upper left hand corner.
However, to view our sysmon logs, we’re going to have applications and services. Let me zoom in so you can see that a little bit better. I’m going to go to applications and services and then, oh wow, this is going to give people totally fits.
we’re going to go Microsoft Windows and we scroll all the way down and we get to Sysmon. It’s all alphabetical.
Sysmon. There we go. We click Sysmon and then we select operational. And these are the logs that we get from Sysmon.
So I’m going to filter, I’m just going to clear the event logs right now for Sysmon because I’ve been doing this stuff quite a bit today in preparation for this webcast. So we’re going to clear out our logs and then let’s actually get some malware on this computer system and execute it.
So to do that, I’m going to use Chrome here and we’re just going to surf to a system where I stood up just a simple little payload backdoor listener on the computer and I went to the system ADHD.
I need to get the systems team an update of ADHD. I just misspelled ADHD. What the hell? There we go. That’s better.
Jordan Drysdale
Try to pay attention, John.
John Strand
Try to pay attention. Keep up. so I have a little meterpreter session listening here and I stood up a little cloned website, outside of the realm of what we’re talking about today.
But I just wanted to set up some malware, that we could execute. We could show you what it looks like whenever malware runs properly. I’ll put in my IP address, if I can remember my IP address, that would be fantastic.
So we’ll do this HTTP 2172 exe.
I think that’s the right IP address. We’ll go ahead and hit enter, see if it shows up, see if maybe the IP address shifted. There we go. All right, so we downloaded the malware that I created and if I run it, it says this might be dangerous.
Well yes, of course it’s dangerous, called msf Exe. Then in the background if I go over to my ADHD system, I actually have a meterpreter session open on that computer.
So if I want to interact with that meterpreter session, I write sessions minus I three and I am in my meterpreter session. So now I can run ls and I can see the different files.
I’m on the computer system. Life is good. No mean trick. Getting malware on this computer didn’t do anything super fancy at all, just basically executing malware. Because the goal is to show you what sysmon actually shows us whenever we fire off the logs.
So let’s refresh our logs here and we have a bunch of logs because I’ve done a lot of different things. So the first thing is if I go back here, you can see that Chrome Exe was started and that’s because I started chrome Exe.
so we actually have Chrome Exe that fires up, then you’re going to see Chrome Exe, chrome Exe and then you’re going to see MSF Exe. So if I take this and I pull this particular one up a little bit, you’re going to get additional information about what’s going on.
And there’s some things that I absolutely love about this. First it gives you the full path for where that particular executable was downloaded, which is great. We’ve got the time in Utah because universal time is awesome.
Let’s. Yay. It gives us the process id, gives us the executable the full path. Then it gives us the description. What’s interesting about this particular executable, the executable is created using some code that is part of the social engineering toolkit in ADHD.
It’s the java web attack. What it does, it inserts metasploit inside of the Apache bench command line utility. The product is from Apache HTTP server, the company’s Apache software foundation.
it gives us a lot of information about that particular file header and what metasploit was injected into, which I think is awesome, gives us the user that started it and then it gives us the parent image.
What is the executable that invoked it. So this allows us to actually pull together. Well, Chrome Exe was used to open up MSF Exe and it was ran by the user, target administrator.
We’ve got the full time, we’ve got the process id, everything you need. If you’re doing incident response this is also really useful if you’re doing a, if you’re doing a incident response type engagement, you can say we want to look at the various executables that maybe are associated with Apache bench because that may be backdoored.
We also have various hashes. Whenever, this file fired, it actually triggered an MD five hash and a SHA 256 hash of the executable as well. So if you think it’s a targeted attack, by the way, if it’s a real attack, it’s almost always a targeted attack, unless it’s just your standard drive by malware and spam that’s hitting your organization.
This is a great bit of information that you can then feed in to the rest of your threat hunting team to see if there’s any other executables or any other malware that’s triggered. as I said, whenever you’re looking at the event logs on a Windows computer system, it’s actually pretty quiet.
we generated a lot whenever we opened up Chrome Exe and if I just hit refresh a bunch of times while the system’s working, I’m not going to get too many new event ids.
It’s just those executables are the ones that are already running. I’m not going to trigger anything unless I open up another executable and open up another socket, which is really cool. The other thing is the network connection.
If we look at MSF Exe, if we go in a little bit further, you can see in addition to all the previous information in the previous log, I can see that I have the executable. I can see the protocol as TCP.
The source IP address is one seven two dot one six dot 10. The destination IP address is one seven two dot one six and the destination port is 3000.
Again, amazing information for any incident responder. It’s trying to work through an incident. This is basically what you hope that event logs would do in your entire security career.
In fact, I would argue if you’re going to do event logging you could probably get away on the workstations with just pretty much syspond event logging. and then whenever you’re working backwards from your alerts you can actually jump it into an elk stack, which is going to be the topic of another webcast.
We’ll talk about how to use things like beats for elastisearch to get the logs of sysmon off something like Helc. There’s a great write up. In fact they’ll just do the webcast live, the instructions on how to set up health because it makes it super easy, especially with the indexing and the data that you’re actually receiving.
Sysmon is amazing. We’ve talked about it multiple times and we finally are getting a webcast. We did one a long time ago, with Derek banks. It was time to revisit it.
So that is Sysmon. I feel like I’m missing something about Sysmon, but maybe not.
Jason Blanchard
I think we’re going to have a question.
John Strand
Yeah, shoot.
Jason Blanchard
Is there value in running sysmon alongside a commercial edr? If so, which Sysmon event ids do you think might provide additional visibility?
John Strand
So when we’re looking at the event ids, I like this one. Actually, all the event ids are great, for the network connections, the processes, the parentage, because you can see this one doesn’t give us the parentage.
This one’s associated with the network connection. So anytime you have event id of three, you have a network connection. Anytime you have a new process that starts up, you have a new process, event, id of one.
So they all have value in the fact that they show different things. Processes that are starting is one and then event like network connections is three. Now with your EDR solution, there’s going to be some things that you’re going to get out of your EDR solution that you wouldn’t necessarily get, with Sysmon.
let me show you an example, because that question is a fantastic question. If we watch the event ids and I basically just do a refresh here, we’re now sitting the event id network connection.
We’ve got that one. Now let’s see what happens whenever I start interacting with the meterpreter. Whenever I’m in the meterpreter, I could try to dump password hashes.
That’s going to fail. I can do run hash dump. I could try to migrate into additional processes and do all of these different things.
I can try to get system. All right, let’s do run hash dump, see if that works now. But I’m trying a number of different things.
I’m trying to dump password hashes. I’m trying to interact, I can actually migrate into additional, services. So I can do P’s, find a process id and then migrate into another process.
4768. Let’s try that one. But the problem with all of this, all, right. Couldn’t do that. I must have mistyped it. The problem with all of this though is I’m sitting around running meterpreter things and running things in memory.
The problem with it is a lot of what I just did isn’t going to show up in sysmon. so if I refresh in sysmon, you can see I’m not really getting a lot of information about trying to migrate into processes and all these different types of attacks.
That’s what you’re going to get whenever you’re running an EDR solution. An EDR solution actually bring a lot better of context around what is actually going around.
when you’re running it in Metasploit you’re going to get some weird things like we’re trying to start up services, xag xaja start. That may be interesting to you, but if you’re running something like silence or carbon black or crowdstrike, they’re going to actually tell you this looks like somebody’s trying to inject into another process on the computer system.
So there’s absolutely a lot of value that you get. But let’s back up for a couple of seconds. just that initial execution and that initial network connection, that network socket is going to show up.
in most situations there are some ways to bypass it as well, but the vast majority of the attacks are going to show up. So if you’re on a shoestring budget, right, you’re trying to lock down your environment and you don’t have hundreds of thousands of dollars to sync.
Absolutely. This is going to start giving you visibility that you normally wouldn’t have and it’s going to be light years better than what you would have if you didn’t use Sysmon. So I hope that answered the question. any other questions?
Jason Blanchard
Is there a sysmon for Linux Unix?
John Strand
No, there’s no sysmon for Linux. Unix. What you can do, is you can use strace if you really hate yourself. but yeah, that’d probably be a question for Bill Stearns because Bill Stearns has probably written something like this about 15 years ago and we can get him on that as well.
There are some things though, if you actually go here, let me show you real quick. So if you’re working in a Linux computer system completely sidetracked. let’s go here.
So we come root.
Jason Blanchard
People were talking about audit D for Linux.
John Strand
Yep. Can you use audit d? if you really are feeling like a poor individual, you can also pull any information out of any processes that are interesting out of proc as well.
you can actually go into the various process ids and when you go into the process ids, you can get a lot of information about what the current directory is, what the different, executable files are associated with it.
Then Lsof is also awesome as well. LSOf will show you who has open network connections, and then you can get additional information about any one of those different process ids doing LSOF minus lowercase P, and then the process id.
so whenever I’m working in incident, I will actually start by the network connections and then I’ll start going through what are those network connections? What are the different, files that are associated with those network connections to try to get additional information about it.
That’s probably a completely different webcast, too. All right, so any other questions? And of course, one last one. Yeah.
Jason Blanchard
What config filters do I need to set up in sysmon in order to catch possible candidates for mimicat’s activity?
John Strand
so Mimikat’s activity is one of those things that is more difficult to detect with sysmon. Usually whenever you’re detecting, mimikats, you’re actually detecting the powershell invocation or whatever utility is using mimikatz like functionality.
as far as Mimikatz injecting itself into the local security authority subsystem service, you’re going to have trouble with that. you’re also going to have trouble with tools like crack map exec. we were talking about Marcello and how that’s somewhat difficult to detect with Sysmon as well.
Usually you’re going to start by looking at that initial code execution, of the malware itself. Then once it’s actually running in memory, you’re running into a lot of problems, like I just showed with, metasploit meterpreter.
It isn’t going to give you full visibility on everything that’s going inside of memory, at that specific time. Does that make sense? Hopefully that answered the question, too.
Jason Blanchard
All right, one more and then we’ll move on to the other part. what is the best way to upgrade sysmon?
John Strand
I would just do it through the standard upgrade, process in Microsoft. Now, let’s actually. That leads us perfect into this. Let me go. Got too many computers here. All right, so let’s go through and present and answer that question.
Insofar as upgrades as well. I had some backup slides, for the malware that was actually executed. We have that there, so you can see what it looks like. Let’s talk about implementing it.
And I think that this also works really, really really well, where we’re discussing how to work on the upgrades and updating it. There’s a great blog post by syspanda, that goes through a tremendous amount of detail on how to actually set it up in active directory and push it out to all of your different computer systems.
by using scheduled tasks, you would basically create a scheduled task and at regular intervals it’s going to go to here where it says domain.com.
that would be your domain appsconfig XML. In my situation that would be like swift on securities, config XML file. Then you would copy it to the Windows folder on your computer and then you would actually start Sysmon with it as well.
Now when you’re running it, one of the things that you can do is you can check to see if Sysmon is actually running. If it is not running, then it can actually install and execute it. If it is running, then it’s just going to move on.
It’s not going to try to restart it every single time. Now when you’re talking about updates, one of the things you can do because all of your workstations are actually pulling down the Sysmon exe file directly from the domain controller.
What you can do, if you want to update it, you can actually just replace the executable. Instead of having to push it down to every single computer system, you’re literally having those computer systems pull the Sysmon executable and run it from the domain controller and then pull the config that’s actually stored locally on that computer system as well.
this is a nice little script that you can do and this is a nice write up. So you’re not actually pushing the executable to every system and updating it that way. You’re having every system pull it from the domain controller.
You would update that executable. Then whenever it runs it would actually pull the updated version of Sysmon and then execute it. so check out this link. It’s a fantastic little write up. There’s two versions of it.
One the script is executing every time the system starts as part of group policy. And the other one he basically creates a scheduled task that causes those systems. I think it’s like once an hour to make sure that they’re executing Sysmon and they’re running properly.
So I hope that answered the question. Any other questions?
Jordan Drysdale
Yeah, John, people are asking a lot about how to cut down the chatter, the noise. Do you have a preferred configuration or listed by then id that you should or shouldn’t.
John Strand
The best one is swift on securities. If you go to Swift on security’s GitHub repository.
Here you go. there’s a sysmon config right here that reduces that noise very very very cleanly. so check that one out. Also, if you look inside the XML, it’s actually pretty easy to read.
You can see how it’s starting up additional executables and what you’re filtering out and what you’re allowing to actually go through. Also, about two months ago Mark, Rosanovich added in DNS logging to sysmon, which is huge because DNS logging is an absolute complete train wreck.
And when you’re trying to do normal DNS logging, it’s almost debug level logging for your DNS service. With the new sysmon utility that Mark Sanovich just kicked out about a month ago, it now has built in DNS logging.
So anytime a system is resolving an IP address, it’s going to log it locally and that’ll become more important, especially whenever you’re looking at DNS over HTTPs, to actually have that ability to have it stored locally as well.
This is the config I recommend, at least starting with. And the amount of data that it’s going to generate shouldn’t be too overwhelming. It’ll generate about four or five because, four or five events every time you start, because you’re going to see them starting up for the process id and the network connection.
And if that process id invokes other process ids, each of those process ids are also going to have sysmon alerts associated with them. But usually when someone’s working on the computer, they’re going to open up their browser, they’re going to open up word, they’re going to open up excel, they’re going to get their music app, you’re going to see all these alerts and then all of them are just going to run because that’s what they’re going to have, their standard build, and a workday and that’s it.
But you’ll at least have that visibility into all the network connections and then also the processes that are running. Any other questions, folks?
Jason Blanchard
yes, but we’ll wait till the end if we have time.
John Strand
All right, sounds good. All right, so the other thing that we wanted to talk about was AppLocker. I always talk about application whitelisting in, a number of our webcasts, and many people are very, very intimidated by ever approaching application whitelisting, AppLocker actually comes out with some fairly good ones with the defaults.
Now I need to say anytime you’re talking to a pen tester, inevitably they’re going to say, well, the default profiles from AppLocker you can totally bypass using these following 15 techniques.
And that’s true. But if you gave me an option of running AppLocker or traditional blacklisting av, no question, I would take AppLocker in a heartbeat. we’ll talk about what it doesn’t detect a little bit later and hopefully bb and some of the testers can pipe in.
There are definitely ways to get around AppLocker, especially whenever you’re using the default configs due to process inheritance and allowing executables to run in the Windows directory.
But it’s an open config in the fact that it’s going to allow a lot of stuff that you would be worried about running into a problem with it executing. It’s going to allow the day to day operation of that computer to run very well.
And it also has a built in failsafe in that, administrator accounts can still run whatever they want. so very very very easy to set up inside of group policy.
so let’s go ahead and let’s jump in, starting up a demo of configuring AppLocker. Open up my chicken. The VNC and I have up here, I’ve got a couple of different systems.
The system that we compromised, this particular computer is just a standard windows ten system, that I threw together. I use this Windows ten vm for a lot of stuff.
So I’m going to close out some of the stuff here and we’ll do, I think I’m logged in as administrator, so I can do GP update force. And let’s actually go into group policy and active directory users and computer systems.
All right, let me log in. All right, logged in. There we go. All right, so let’s start by actually creating an Ou and then throw a computer inside of that ou.
So I’m going to go to active directory users and computers. And you can see that I have one computer system here called the boss. And I’m going to create a new organizational unit because we want to be able to apply, our group policy settings to this organizational unit.
So I’m going to call it Secdesk, let’s call it our secdesk organizational unit. And if I go to my computers, I can just throw my computer into that organizational unit.
I don’t care about that warning good. I do want to see the warning. There we go. Oops. There m we go. Now, I have this small little organizational unit where I’ve added this computer.
Now, usually what you would do is you would break up your organization. So you would start rolling out, AppLocker, you would roll it out to your security team first. You would roll it out to the administrators, you’d roll it out to desktop support and you would slowly roll this policy out.
You wouldn’t roll it out to absolutely everybody. Now that we have that ou created, now we’re going to do is we’re going to go into server manager and I’m going to go to tools and we’re going to go to group policy management.
There we go. Here we go.
Jason Blanchard
Dylan, can you zoom in a little bit?
John Strand
I can, especially once I get there. Just give me a second. All right, so let’s zoom in over here. Over here. You can see I have my domain. I’ve created a target local domain.
What I have inside of this domain is I have the organizational unit called Secdesk. Secdesk is the one that we created that has one computer in it. What we’re going to do now is we’re going to create a group policy that’s going to push out AppLocker with the default settings to that Sec desk organizational unit.
Now, there’s two parts of it. One is actually configuring the actual AppLocker configuration. The second thing is actually creating a policy that’ll start the application identity service.
it will not fire if you don’t have the service that’s actually watching the applications on the computer system itself. So what I’m going to do is I’m going to right click on that and we’re going to create a GPO for that one and I’m going to call it applocker.
We’re going to click. Ok. Oops. M need to create it for Secdesk. Here we go.
I need to delete this r1 quick. Put it in the wrong place, wasn’t highlighted. Here we go. So we go into SecDesk. There we go.
I’ll just call it applocker two then. There we go. All right. So now we’ve created our little group policy and we can see that that’s underneath the Secdesk group.
Now, if we actually want to configure it, we can actually go into it, we can right click and we can go edit. I’ll, come back and enforce it here in a second.
So now this is the beginning of the group policy. Settings that we have in place. So the actual policy that we want to put on this particular one is going to be under policies. It’s going to be under windows settings and it’s going to be under security settings.
And let me make this a little bit bigger for everybody. And I’ll show you the two main settings that we’re actually going to set, for this particular computer. Here we go.
Let’s go into our application control policies first. And there is applocker. Now that is not the same as the AppLocker that I just created.
That’s actually, this is where you would actually go in and configure applocker itself. So we’re going to start, I’m going to make this a little bit bigger so we have some more room to play with.
We’re going to start by configuring the rule enforcement. I’m going to go through and set all of these to configured and enforced. I’m going to go through some of the different settings that you can have here.
In just a second. I will zoom in. There we go. Now you can see that we have executable rules, Windows installer rules, script rules and packages app rules.
Now you can set it up in two separate settings. You can set it up so it’s enforced rules where it’ll actually block and stop those different things from executing. Or you can put it into audit only if you’re exceptionally paranoid.
you can set it to audit only. Start. that means AppLocker is going to log what it would have blocked. So you don’t have to worry about pushing out a rule, to an entire organization that’s going to blow up absolutely everything.
In fact, generally you don’t have to worry about that. It doesn’t happen all that often. The default rules work really, really really well. And I’ll show you what the default rules look like. So those are the two different examples that we can work with.
We have executable Windows installer rules, script rules, and package app rules as well. Then I’m going to apply it. But as of right now, I actually don’t have any rules.
I have to scroll down over here and I have to go into executable rules, windows installer rules, script rules, and package app rules. And I have to generate the default rules for each one of those.
Now I can select each one of those and you can see I now got it over here. Executable rules, Windows installer rules. And I can right click and I can do generate or create default rules.
Now I want to talk about a couple of different things here real fast. So if we generate the default rules, it’s just going to generate three or four rules for each set. And it’s not very many rules at all.
And predominantly these rules are based on pathologies. It’s going to say anything that’s executing from the program files directory or the Windows directory is allowed to execute. And then the last rule is anybody who is an administrator can do whatever they want.
This is that fail safe to make sure that you don’t actually lock yourself out of your computer directly. If you do automatically generate rules, it’s going to generate hundreds of rules. It’s going to go through and identify all the programs that are currently installed and it’s going to lock it down to just those programs.
I do not recommend jumping into that. I really honestly can’t think of a possible scenario where that’s ever a really good idea just to be like, yeah, let’s do the automation, see how that works out.
the default rules are great for just getting started with whitelisting. Now if you want to create a new rule, I want to show you some things that are pretty cool. with this. If you want to create a rule by hand, you can create a rule that will allow an application or deny an application.
I can go in a little bit more detail about how I want to establish a program that can execute. I can give it a path. This will be very effective. If you have the program files, the windows directory, and then you have another opt directory that has these mission critical apps, then absolutely you would want to set up some additional path rules to allow those to execute.
You can also create a file hash rule, to basically say, hey, if file has this hash, allow it to execute or block it. But I want to show you publisher, I think the publisher is really probably one of my favorites.
What you can do is you can create a reference file and you can go to any number of different files that exist on the computer system.
You can basically choose the program, any executables that you have. It’ll say, okay, I can create a rule around this specific application.
One of the things I love about this is it gives you the capability of saying how stringent do you want that rule to be? You can say, do we want it to be for this publisher? And you can see that I have a rule for Microsoft which is actually already in there product.
name Microsoft Windows operating system. File name is setup winm m exe and then the specific file version. I can even say and above. However, you can also take this little bar and you can scroll it up to say I will allow anything from this specific publisher to execute.
So if you have a whole bunch of oracle tools and Oracle is being a nightmare and installing things all over the place, or if you have specific applets that you need to run, from a specific vendor and it’s going to drop it into the temporary Internet folders or it’s going to run an executable, which is a bad idea if that’s the way it runs.
You can identify that executable and you can say this publisher is allowed and it’ll allow anything from that publisher to run. So there’s the default rules for executables.
Now I’m going to go and create the default rules for installer rules. We’re going to generate the default rules for script rules and then also generate the default rules for the package app rules.
All right, so this is about as plain Jane and vanilla of an app blocker, installation that you could possibly set up. So we’ve got our rules applied and now I’m going to minimize that and we’re going to go back to our app blocker policy and I’m going to set it to enforced.
All right, I’m not actually, I’m not done. I skipped a step. For somebody that’s watching this that’s like oh my God, he completely forgot to set up the services. And you would be right. So if I go into the policies, go to Windows, go to security settings, one of the things that you can do in addition to creating the app lock rules is you can actually identify which services are going to start automatically.
And for this to work we have to actually set up the application identity service and I am going to set that to be automatic and automatically start up. There we go.
We’re going to apply it. There we go, set. So we now have that group policy established and we’ll make sure that it’s actually enforced. There we go.
And we’ve got it applied to Secdesk. So we went through, we created the AppLocker policy. We’ve established the service that will allow applocker to actually run properly. And we’ve actually applied it to our specific, our specific organizational unit that we’ve created that has our wonderful computer, the boss.
Now I’m going to go to my domain workstation and I am going to do GP, edit and I’m going to enforce, hey John, quick question.
Jason Blanchard
We keep getting, does AppLocker only work for enterprise version of Windows?
John Strand
I believe so. I haven’t tried it on home. All right, we’re updating the group policy on this workstation.
I’m pretty sure it’s professional. Oh no. Let’s see if this. Sometimes I have to run it twice. I don’t know why.
Make sure I can ping the domain controller. balancing my windows computer. Starting to get nervous.
Jason Blanchard
There’s a bunch of debate in the chat, or is that question slide pro and enterprise.
John Strand
I set up this entire environment on a VM and VM environment. One of the problems I’ve been running into is time sync. whenever I take the VM out, the timing will be off between the two systems and that’s a problem.
Years ago I had an incident where we had cluster, domain controllers and they were, became unsynced from each other because of a Nessa scan and it brought the whole system down.
That was bad. Should be the same. There you go, 12.4. All right, we’re logged in.
All right, so let’s see if this is actually working. Let me log in as a different user. There we go.
Let’s log in as whitelist. Let’s see if it worked. You can actually force the group policy, from active directory, but it takes like ten minutes in some situations for it to actually work.
So let’s go ahead and let’s see if it took. If not, I’m going to have to log in as administrator and try GP update and force again.
There we go. All right, so now what’s going on? Let me zoom in. Is any executable that is not in the specific path that was identified in program files or in the Windows directory is automatically going to pop up the little alert.
It’s going to say, hey, your systems administrator has blocked this program. For more information, contact your systems administrator. That’s cool. And the fact that it’s now stopping any random executables to run.
However, if we have executables that are in that program files directory, they’re going to work just fine. A lot of the standard programs that a user would normally go through are going to execute without any issues.
now if we go back to our, our malware example that we did a little while ago, let’s see how that changes things.
Let’s go to one seven, two dot, one six dot, one two dot. What was it? Eleven. I’ve, got things backwards here and let’s go to MSF exe, download it.
Let’s try running it. Go ahead. And run stopped it. We have a before and after. Before we actually had Applocker, I was able to download and execute any of the programs that I wanted to.
But now that I have Applocker in place, it’s actually stopping that execution once again. There’s a lot of flexibility in AppLocker for allowing publishers through, code signing certificates.
You can also go through hashes if you want to go down to that level. But the big thing that I want to get across is if you’re going to implement application whitelisting with something like AppLocker, it is absolutely unnecessary to go all the way down to the individual file hashes on every single computer system.
You do not have to go to that level. And that extent also, I want to get across, as well, that with a lot of the advanced endpoint security products that are out there today, the most difficult thing to get around is not the security product itself and its automatic, amazing, artificial intelligence, whatever crap it is they’re throwing at you.
But what’s really difficult to get by on a lot of these different tools is their whitelisting capability. And whitelisting is not something that you have to buy. Whitelisting is free. You can absolutely do it on your own.
So let me go through a handful of slides and then we’ll get to questions associated with this. Here we go. Get the redneck off the screen.
All right. Applocker bypasses. Yeah, a lot of the bypass techniques work, like run dll 32 techniques, IsR evil grade, service exploits sct files.
I, have a joke. Bypassing never seemed to end. It just goes on and on. My friend sub t started hacking and not knowing what it was. Now we’ll just keep on hacking it forever just because it bypasses never and just goes around and around and around.
Now this gets into a problem that we currently have in the state of security right now. One of the problems that we have in the state of security is anytime anyone talks about doing AppLocker, and I’ve been part of these conversations, I inevitably will have someone in the group say, well, you could just bypass that by doing this particular technique and that technique and this technique.
And then all the people that are listening are like, well, AppLocker must be crap with the default configurations. And that’s garbage. Honestly, if you actually implement AppLocker, just what I just showed you, you’re going to stop.
95% plus of the drive by attacks that hit your organization. a lot of the ransomware is now done. It’s not going to work. This is the vast majority of the attacks that your organization is going to encounter are going to fall into that category.
Category. And seriously, if we could just shut down 95% more or more of the attacks that are hitting your organization, can’t we call that a win? Why is it everything in security has to be completely 100% foolproof?
And I know this as a vendor because I’ll have people, whenever I’m talking about Rita and AI Hunter, they’ll say, well, I can get by Rita if I have a backdoor that beacons once per week, your tool’s not going to detect it.
Okay, you win. I don’t know how exactly we’re supposed to take that. And I think we need to get away from everything is garbage. And if we can bypass it, it’s crap.
It’s kind of like the old Saturday Night Live sketch, but it’s scottish. It’s crap. There’s a bad accent for you, and we need to actually get down to some more realistic security expectations. And right now, all of your organizations have sysmon.
Right now, all of your organizations have AppLocker, and it’s free, and we can push it out and we can do it effectively, and it’ll make an attacker’s life that much more difficult. So some implementation principles before we actually try to jump into it.
Start small. Start with your own security team. you could also start in audit mode. You aren’t actually locking things down completely. You’re auditing to see what it would have blocked through a normal day.
And then you can go and you can easily create AppLocker rules, for the different publishers code, signing certificates to allow them to run roll it out stages. So start with your own security team, and then roll it out to systems administrators or help desk, and then roll it out to the rest of the techie teams, maybe even developers as well.
There’s no reason that I can think of at all where you would want to roll this out to every single computer system in one shot.
There’s nothing about that at all that is even remotely close to a good idea. And when you’re working with the techie teams, when you’re working with systems administrators, you’re working with help desk, you’re working with network administrators and the security team, you’re working with people that are technically competent.
At least I hope that they’re technically competent. People in tech know things. And if something doesn’t work and it says this executable doesn’t fire, then you can have an intelligent conversation.
rather than talking with someone who’s saying, well, the Internet doesn’t work. What does that mean? The Internet’s not working at all. But I don’t know what it means that the Internet doesn’t work. And they have some weird streaming app that they downloaded on their desktop and they’re running it on their desktop and they’re like, that doesn’t work.
Better to work with somebody who knows technically what is actually going on. So I wanted to open it up for questions. I think we’re doing great on time. We have ten minutes.
wow, there’s a lot of people in the room. All right, so let’s get started. what questions do we have, folks?
Jason Blanchard
All right, you’re going to go CJ?
Jordan Drysdale
Yeah, I had a couple from way back there talking about Sysmon and about how that scales and how you would incorporate multiple, multiple feeds.
John Strand
So one of the things that we’ll do a little bit later, when we’re talking about Sysmon, is we did not touch logging. Like, how do you actually get Sysmon, to get forwarded onto an event logging service?
when you’re looking at elk implementations like Helc, which is amazing, it has the ability for you to ingest sysmon and automatically index those Sysmon events. so that’s probably the next webcast I’m going to do for next week because I’m home and that’s awesome.
We’ll probably stand up a whole hellkill instance and then we’ll walk through, how to set it up. So Sysmon is dumping directly into a security instance that is specifically configured for event logging or for logging of sysmon, among other things, and specifically doing it for security because it’s just absolutely fantastic.
I think the guy that runs the HElc project is actually part of Spectre ops, which is just doing amazing work these days.
Jordan Drysdale
Nick wants you to work on your scottish accent.
John Strand
You got to work on my scottish accent. no, I am not going to work on my scottish accent. All right, any other questions?
Jason Blanchard
Yes. by default, will AppLocker prevent files from alternate data streams?
John Strand
It depends on where they’re executing. If you actually put the file in the alternate data stream, in the windows or the program files directory, that hierarchy is going to allow it to go through. But if somebody drops it into a temp folder or they drop it onto a desktop, it’s going to stop that from executing.
if you actually look at something that’s executing in an alternate data stream and you look at it in process Explorer, it’ll show you the alternate data stream. The alternate data stream is irrelevant insofar as it relates to the path.
It’s the path that matters more than the alternate data stream. Good question.
Jordan Drysdale
A lot of questions on, looking at, the output of the logs for AppLocker, I saw that it goes to event viewers or other ways, so I’m looking at that.
John Strand
Yeah, that’s where you’re going to have to look, especially whenever you’re testing it. I got a good question from Jim. That’s on how to utilize AppLocker. When there are programs like Gotomeeting and webex that install it in the app data folders, you can actually go through and set it up by the publisher.
That, was one of the things I showed. So if you have things that you use all the time, like Webex, you could go through and say, okay, this is a publisher that I trust. You don’t have to actually get down to the executable, you don’t have to get down to the hash, you don’t have to get down to the version.
You can just say, we trust this publisher and you allow it to execute. So I hope that answers Jim’s question.
Oh, great question. Alex just said, aside from forwarding the logs off of the system, are there any best practices to protecting sysmon and AppLocker logs for modification? Honestly, the best thing to do is get them off the system as quickly as possible.
That is the best possible thing. Because remember, when you’re looking at mimicats, mimicats had the ability to actually allow you to clear out the event log and not have the event log was cleared, alert, show up.
I know Josh Wright has written some tools to prevent certain event logs from being written. We also saw that this was a technique and a capability and a tool that was part of the vault breach. So yes, there are ways to modify event logs, get them off the system as quickly as you can.
Jordan Drysdale
Does this old trick still work where you had the write once, you basically put it to a cd, the hashes.
John Strand
Oh, you remember we used to have to do that. Northrop Grumman. Right. And I think there’s still projects that are doing that to this day. thankfully that for most enterprise organizations is not insane.
Wages, popped up and said, publisher rules are best. Hash rule, if not signed, path rule. There’s a lot of programs from a vendor that doesn’t sign, but why are you buying stuff from them anyway if they’re not signing their executables as well?
Other good ways to protect malicious services from killing Sysman. this basically boils down to don’t let the attacker get administrator rights on a computer because that’s bad, right?
So I want to throw it over to bibi. Bibi, do you have any thoughts on Sysmon and applocker and kind of our tests and things like that?
Jordan Drysdale
let’s see. I’ve actually just started playing with it myself in a vm and running some of the tools that I use on a test against it. I was floored at how visible everything I normally do becomes.
once you’ve got sysmon enabled on there, to use, not really my thing, but to see how it shows up when I’m testing it was impressive.
John Strand
I think that it’s pretty consistent. Once you get code execution and you start doing things after code execution, it loses a lot of visibility, especially whenever you’re doing things in memory.
but by and large that initial execution, and that network connection that leaves, it’s pretty much always nailed the network connections for me. you may have migrated into another process like we talked about, the run DLL 32, which would be a legitimate windows process.
That’s a way to obfuscate and hide in plain sight, but you’re still going to see that network connection as well. Oh, Bruce wanted me to mention, and I agree, Mac has whitelisting enabled by default.
And he’s right, it’s pretty easy to bypass. But I downloaded and ran chicken to the VNC and it’s just this random, it isn’t from the app store. So in order to execute it on a Mac you have to go through right click and then execute or open and then it’ll pop up and it’ll say hey, you didn’t download this from the app store.
Are you sure you want to run it? And then you have to click ok. If you just double click on it, it stops it as well. Asking again, I saw that. Hold on. Where’d it go?
M how can I map out the various programs that all end of users are using in different locations and path in order to create the rules semi automatically?
All right, let’s do that. Hey, who’s with me? Let’s answer yarn’s question. While we’re answering that question, CJ, do you have another question?
Jordan Drysdale
Just kind of a quest about a webcast presenting a matrix of expensive tools and the built in ones that do a good job. And I think we’re always a little agnostic on that, because usually the free tools involve a lot more labor and integration they don’t come as full featured.
and you always talk about like, because we have questions here about does carbon black, do I do app white listing with that? And we always say yes, make sure with any of the advanced endpoint protections you’re using the application whitelisting features.
John Strand
Yep, absolutely.
Jordan Drysdale
I think it’s a great exercise if you’ve got some of these tools already, to compare them to what’s built in. So the answers always depend on your environment.
John Strand
Go ahead, Joe. And honestly, if you’re not ready for whitelisting with app blocker, you’re not going to be ready for whitelisting with a commercial third party tool. this is a great way to start out with to start out with the path exception.
So let’s answer yarn’s question. Now that I’m at the end of the webcast, let me blow this up. So here you go. We go automatically generate rules. We give it the path and then it’s going to do this and then it’s going to create them.
And there we go. Well, I only have one, but if I had a number of executables here, it would actually go through and map out all of the different executables that are there should have gone through and done all the ones in program files.
Mhm. Hash rule. There we go. Maybe this will get it, but it’s kind of insane. As I said, I don’t like doing that.
I don’t. So if you have like a normal system, you’re gonna have hundreds of files here and you’re gonna be back to just doing it by path to start out as well. All right. Oh man, so many questions on the different things like graylog versus helc versus soft elk versus.
Oh my God.
Jason Blanchard
John, one question that came up a few times was any suggestions techniques for managing sysmon config files enterprise wide?
John Strand
so what I would recommend if you want to run multiple different sysmon configuration piles, if we go back to the slide deck, which is here. Sorry, I have two computers and I’m on the wrong keyboard.
Let’s go here. One of the things you could do is this. For each of the different ous that you create, you can have a different configuration file. You’d have config one, config two, config three, config four, and you’d be hosting those once on the domain.
And then all of your systems would actually pull that from the domain as well. We have an alternative. as we said, whitelisting is pretty much built into a Mac nick, which is nice.
wow. The next one is going to be, next one is going to be on logging. I’ll go ahead and set that up with like help and soft elk, and I’ll actually run both of them.
I’ll try to set it all up. So my domain is sending it to helc and then I’ll set it up with soft elk and I’ll try to do a full kind of shootout between the two. But there’s people at that that are much, much, much better than I, am at that as well.
So I hope that you guys enjoyed this webcast. As I said, this one was a long time coming. I think that we get caught up in like, new fancy tools and, we don’t go back to basics. So I think that coming back to a basic, like, kind of setup, is important every once in a while to make sure that we’re getting these basics and fundamentals in place.
So I think the next one’s going to be on logging and I think the next one that I want to do is how to push out firewall rules, via group policy. Because I’m always telling people, enable your host based firewalls. Enable your host based firewalls.
And I think that it’s a really, really good idea. once again, we’ve never walked through specifically how to do that as well. So with that, let’s get out of here, everybody. Thank you so much and I appreciate you all coming.
And tell your friends that we do these webcasts and they’re free and it’s like free training, which is pretty cool. And we’ll see you at the next one.