7. Application whitelisting in general
▪ Protect against malicious code by only running trusted code
▪ Whitelist contains the rules that define trust
T
11. Microsoft & Application whitelisting
Applocker Appcontrol Device guard
User targeted Device targeted Hardware protected by
HVCI
Exe, dll, cmd & bat Exe & DLL Requires UEFI
Path based rules Accompanied by
PowerShell constrained
language
Requires TPM
Block store apps Runs in Kernel space Requires VBS
Can Protect against
administrator
K
13. Defining trust – core rules
• FileHash per binaryHash
• Signing certificateLeafcert
• Root cert in certificate chainPCA Cert
• Original FilenameFilename
T
14. Defining trust – PCA derivates
• Verisign cert + Common
name = MicrosoftPublisher
• Publisher + Minimal
Version Number
Signed
version
• Publisher + Filename
File
Publisher
K
15. The unsurmountable challenge of code signing
Create your own cert without a PKI
New-SelfSignedCertificate -Type CodeSigningCert `
-Subject 'Application control signing cert’
Sign a file using that cert
Set-AuthenticodeSignature `
-Certificate((gci Cert:LocalMachineMy) | `
? {$_.EnhancedKeyUsageList -like '*code signing*’ `
-and $_.Subject -like 'CN=Application control signing cert'}) `
-TimestampServer http://timestamp.digicert.com -HashAlgorithm sha256 `
-FilePath "file"
K
16. Defining trust – Managed installer
▪ New since 1703
▪ Makes files written to disk by Trusted process trusted
▪ Does nothing for files already on disk
▪ Can’t be enabled during staging
T
17. Defining trust – intelligent security graph
▪ New in 1709
▪ Trust list of known applications generated by Microsoft
▪ Non-Customizable, read: list is as good as it is
T
18. Audit mode / monitoring mode
▪ NIST and our recommendation, audit mode first (FCS/GBV)
▪ Generates Events in Code Integrity event log – Client side
▪ 1 event per process/file per boot cycle
T
20. Implementation assumptions
•Prevent automated attacksGoal
•If app is trusted on one machine in the
company it’s trusted everywhereTrust
•Majority of apps is installed in a
managed fashionManagement
K
21. OSCC’s application control project kickoff
Define
scope
Find POC
department
Analyze
application
types/needs
Define
catalog
creating
process
Build Initial
audit policy
T
22. OSCC’s application control project
assessment phase
Collect
audit
results
Remediate
audit results
Deploy
audit
policy
K
23. OSCC’s application control project
round-up
Start
enforcements
for deployed
systems
Expand scope
to more
departments
Sign policy?
Start
enforcement
for new
deployments
T
24. Proposed base policy
▪ Microsoft Base policy
▪ Block Microsoft known bypasses
▪ Microsoft Publisher rule
▪ Define managed installers
▪ Audit-mode Enabled
▪ Add-signerrule (Leaf certificate)
▪ Optional: Add-signerrule store for business cert
K
25. Common challenges
▪ Unsigned applications
▪ Self-Updating applications
▪ Temporary emergencies
▪ Inhouse developed apps
T
27. Generate trust from audit events
▪ Script to convert Audit entries to WMI
▪ Needs access to audited binaries
▪ Collect & Consolidate with SCCM
▪ Create rules based on consolidated list
K