Summary
This is my collection of detective and mitigating security controls as it results from personal research. The general idea is to classify these controls into categories and rank them so that they can be applied selectively in any corporative environment. As the list grows, I will develop a framework that will encapsulate everything in a table. Eventually this will also be retrievable in JSON format.
Legend
Topic: represents the short description of the threat that requires a security control in order to reduce risk of exposure in your network. Criticality: how critical (urgency/severity) the security control that mitigates the threat is for any organization. The scores are: low, medium, high, critical. IDS: Implementation Difficulty Score, a simple measure of the effort involved into implementing proper security controls for this threat. The scores hare: easy, medium, hard, very hard. TTP Cagetorization: A broad schema to classify the threat type.
Threat Protection Stack Table v0.1
Topic | Criticality | IDS | TTP Categorization | References |
---|---|---|---|---|
DDE Microsoft Office weaponization | High | Easy | Category: Defense Evation Sub-Category: Weaponized Document. MITRE: Exploitation of Vulnerability T1068 |
https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks |
Prevent lateral movement I | Critical | Very Hard | Category: Lateral Movement, Credential Access Sub-Category: Pass the Hash, Pass the Ticket, Credential Dumping. MITRE: Exploitation of Vulnerability T1068 |
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material |
Protect Against DDE Microsoft Office weaponization techniques
There are two essential controls:
Mitigative
- Disable Automated Link Update from Office apps
Detective
- Use this YARA rule
- Create a new rule using your EDR solution that draws on the patterns for the YARA rule
References
- To mitigate DDE by disabling Automated Link Updates: https://www.ghacks.net/2017/10/23/disable-office-ddeauto-to-mitigate-attacks
- DDE Protocol: https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
- Yara Rules: https://blog.nviso.be/2017/10/12/yara-dde-rules-dde-command-execution-observed-in-the-wild
- McAfee Advisory: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27325/en_US/McAfee_Labs_Threat_Advisory-W97MMacroLess.pdf
Prevent credential harvesting and lateral movement in AD Environment
Security Controls: Mitigative, Detective.
Mitigative
- Apply Active Directory administrative tier model on your environment.
Detective
- WIP
References
- Great article by Microsoft: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material