Company Logo
2023-24 ThreatScape Report: Analysis of 2023 Global CTI Reports
Recognized by Frost & Sullivan for Enabling Technology Leadership in the Global Digital Risk Protection (DRP) Industry

CTM360 Hardening Guidelines

Content

USE CASE: POST-EXPLOITATION IMPACT OF LOG4JSHELL VULNERABILITY

11 Jan 2022

CTM360 Hardening Guidelines

Log4j vulnerability (CVE-2021-44228) allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors, is parsed and processed by the Log4j vulnerable component. Microsoft stated that a vast majority of post-exploitation activities had been observed and based on the nature of the vulnerability, once an attacker has full access and control of an application, they can perform a myriad of objectives including installing coin miners, Cobalt Strike to enable credential theft and lateral movement as well as exfiltrating data from compromised systems. Relevant to Log4j vulnerability below are the most common MITRE ATT@CK Techniques that an attacker may leverage to compromise systems.

pic1

TECHNIQUE#1 - Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.

pic2

CTM360: Mitigation Guidelines:

Note: Before disabling a service/configuration, please check if any endpoint requires it for a specific use case and only allow it where necessary.

Option 1:

Enable ASR (Attack Surface Reduction) from Group Policy: By leveraging MS ASR rules and relevant IDs to block specific actions from executing on Desktop or Server

Open Group Policy Editor [Local/Domain] click Computer Configuration > Policies > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction.

On Right Side double click on “Configure Attack surface reduction rules” and select Enabled.

Now under options: click on the Show… button and the Show Contents windows will Open.

In Value Name type the below IDs and set the Value to 1 for each rule and click OK to save settings.

Block execution of potentially obfuscated scripts

ID = 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Value = 1
Block JavaScript or VBScript from launching downloaded executable content

ID = D3E037E1-3EB8-44C8-A917-57927947596D Value = 1
Block Office application from creating child processes

ID = d4f940ab-401b-4efc-aadc-ad5f3c50688a Value = 1
Block Office applications from injecting code into other processes

ID = 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Value = 1
Block Win32 API calls from Office macros

ID = 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Value = 1

pic3

Option 2:

Block Office Macros From Group Policy

(Below steps for Microsoft office 2016/2019) Install the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool on the Active Directory Domain Controller Upon completing the installation, follow the steps below: (For office2016, download the templates from Microsoft. Download link)

Open Group Policy Editor[Local/Domain] > User Configuration > Policies > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center

On the right side double click on “Block macros from running in Office files from the Internet” and select Enabled > Click OK to save settings. Double click on “VBA Macro Notification Settings” and select Enabled

Under options select "Disable all without notification" from the drop-down list. Note: Follow the above steps to disable Macros for other Microsoft Office Applications like Excel, PowerPoint etc.)

pic4

Option 3:

Enable Controlled Folder Access Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Open Group Policy Editor[Local/Domain] > Computer Configuration > Policies > Administrative Templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access

On the right side window double click on “Configure Controlled folder access” and select Enabled

Under options > Configure the guard my folders feature Select Block from the drop-down list and Click OK to Save Settings. This is a strict mode where untrusted apps cannot make any changes to files inside protected folders.

Note: Enable this with caution as it may affect the organization’s productivity

pic5

  • TECHNIQUE#2 - Ingress Tool Transfer
  • TECHNIQUE#3 - Command and Scripting Interpreter: PowerShell
  • TECHNIQUE#4 - Command and Scripting Interpreter: Windows Command Shell
  • TECHNIQUE#5 - OS Credential Dumping: LSASS Memory
  • TECHNIQUE#6 - Windows Management Instrumentation
  • TECHNIQUE#7 - Remote Services: Remote Desktop Protocol
  • TECHNIQUE#8 - Remote Services: SMB/Windows Admin Shares

Recommendations

This hardening guide is part of CTM360’s ongoing strategy to provide actionable insights and tangible recommendations for major ransomware families. Our research team will be sharing such advisories frequently to ensure organizations globally become a harder target and can prevent the impact of ransomware proactively. We invite your feedback and welcome your input for future editions of our security hardening series. Kindly reach out to monitor@ctm360.com for any communication.

Fraudulent Immigration Scam

13 Feb 2024

Fraudulent Immigration Scam

Cyber Advisory: Credit/Debit Card Theft via Phishing Campaign Impersonating Known Brands

12 Feb 2024

Cyber Advisory: Credit/Debit Card Theft via Phishing Campaign Impersonating Known Brands

BAITING FACEBOOK GROUPS

29 Jan 2024

BAITING FACEBOOK GROUPS

A browser-in-the-browser (BitB) attack - Cyber Advisory

13 Nov 2023

A browser-in-the-browser (BitB) attack - Cyber Advisory