2017-01-11 16:14:45 +01:00
{
2018-08-13 17:06:29 +02:00
"authors" : [
"Various"
] ,
2018-10-19 14:08:50 +02:00
"category" : "measure" ,
2018-08-13 17:06:29 +02:00
"description" : "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures." ,
"name" : "Preventive Measure" ,
"source" : "MISP Project" ,
"type" : "preventive-measure" ,
"uuid" : "1a8e55eb-a0ff-425b-80e0-30df866f8f65" ,
2018-02-28 16:16:28 +01:00
"values" : [
{
2018-08-13 17:06:29 +02:00
"description" : "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "High" ,
"impact" : "Low" ,
2018-08-13 17:06:29 +02:00
"refs" : [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"Recovery"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" ,
"value" : "Backup and Restore Process"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" ,
2018-02-28 16:16:28 +01:00
"meta" : {
2018-08-13 17:06:29 +02:00
"complexity" : "Low" ,
"effectiveness" : "High" ,
"impact" : "Low" ,
2018-02-28 16:16:28 +01:00
"refs" : [
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US" ,
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
] ,
"type" : [
"GPO"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "79563662-8d92-4fd1-929a-9b8926a62685" ,
"value" : "Block Macros"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Disable Windows Script Host" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
2018-08-13 17:06:29 +02:00
"possible_issues" : "Administrative VBS scripts on Workstations" ,
"refs" : [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"GPO"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" ,
"value" : "Disable WSH"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Medium" ,
"impact" : "Low" ,
"type" : [
"Mail Gateway"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "7055b72b-b113-4f93-8387-e6f58ce5fc92" ,
"value" : "Filter Attachments Level 1"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "High" ,
"impact" : "High" ,
2018-08-13 17:06:29 +02:00
"possible_issues" : "Office Communication with old versions of Microsoft Office files (.doc, .xls) " ,
2018-02-28 16:16:28 +01:00
"type" : [
"Mail Gateway"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "8c9bbbf5-a321-4eb1-8c03-a399a9687687" ,
"value" : "Filter Attachments Level 2"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Block all program executions from the %LocalAppData% and %AppData% folder" ,
2018-02-28 16:16:28 +01:00
"meta" : {
2018-08-13 17:06:29 +02:00
"complexity" : "Medium" ,
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
"possible_issues" : "Web embedded software installers" ,
2018-02-28 16:16:28 +01:00
"refs" : [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/" ,
"http://www.thirdtier.net/ransomware-prevention-kit/"
] ,
"type" : [
"GPO"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "6a234b1d-8e86-49c4-91d6-cc3be3d04f74" ,
"value" : "Restrict program execution"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Low" ,
"impact" : "Low" ,
2018-08-13 17:06:29 +02:00
"refs" : [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"User Assistence"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "5b911d46-66c8-4180-ab97-663a0868264e" ,
"value" : "Show File Extensions"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Enforce administrative users to confirm an action that requires elevated rights" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Medium" ,
"impact" : "Low" ,
2018-08-13 17:06:29 +02:00
"possible_issues" : "administrator resentment" ,
"refs" : [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"GPO"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "3f8c55db-611e-4831-b624-f9cbdc3b0e11" ,
"value" : "Enforce UAC Prompt"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to." ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
2018-08-13 17:06:29 +02:00
"possible_issues" : "Higher administrative costs" ,
2018-02-28 16:16:28 +01:00
"type" : [
"Best Practice"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6" ,
"value" : "Remove Admin Privileges"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Activate the Windows Firewall to restrict workstation to workstation communication" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "Low" ,
"impact" : "Low" ,
"type" : [
"Best Practice"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "fb25c345-0cee-4ae7-ab31-c1c801cde1c2" ,
"value" : "Restrict Workstation Communication"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Using sandbox that opens email attachments and removes attachments based on behavior analysis" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "High" ,
"type" : [
"Advanced Malware Protection"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "7960740f-71a5-42db-8a1a-1c7ccbf83349" ,
"value" : "Sandboxing Email Input"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "Medium" ,
"type" : [
"3rd Party Tools"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "bfda0c9e-1303-4861-b028-e0506dd8861c" ,
"value" : "Execution Prevention"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
2018-08-13 17:06:29 +02:00
"possible_issues" : "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." ,
"refs" : [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"GPO"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "3b7bc1b2-e04f-4492-b3b1-87bb6701635b" ,
"value" : "Change Default \"Open With\" to Notepad"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Server-side file screening with the help of File Server Resource Manager" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Low" ,
"effectiveness" : "Medium" ,
"impact" : "Low" ,
2018-08-13 17:06:29 +02:00
"refs" : [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"Monitoring"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "79769940-7cd2-4aaa-80da-b90c0372b898" ,
"value" : "File Screening"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Block program executions (AppLocker)" ,
2018-02-28 16:16:28 +01:00
"meta" : {
2018-08-13 17:06:29 +02:00
"complexity" : "Medium" ,
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
"possible_issues" : "Configure & test extensively" ,
2018-02-28 16:16:28 +01:00
"refs" : [
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx" ,
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
] ,
"type" : [
"GPO"
2018-08-13 17:06:29 +02:00
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "feb6cddb-4182-4515-94dc-0eadffcdc098" ,
"value" : "Restrict program execution #2"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Detect and block exploitation techniques" ,
2018-02-28 16:16:28 +01:00
"meta" : {
2018-08-13 17:06:29 +02:00
"complexity" : "Medium" ,
"effectiveness" : "Medium" ,
"impact" : "Low" ,
2018-02-28 16:16:28 +01:00
"refs" : [
"www.microsoft.com/emet" ,
"http://windowsitpro.com/security/control-emet-group-policy"
] ,
"type" : [
"GPO"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "5f0a749f-88f2-4e6e-8fd8-46307f8439f6" ,
"value" : "EMET"
2018-02-28 16:16:28 +01:00
} ,
{
2018-08-13 17:06:29 +02:00
"description" : "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" ,
2018-02-28 16:16:28 +01:00
"meta" : {
"complexity" : "Medium" ,
"effectiveness" : "Low" ,
"impact" : "Low" ,
2018-08-13 17:06:29 +02:00
"refs" : [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
] ,
2018-02-28 16:16:28 +01:00
"type" : [
"3rd Party Tools"
]
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "1b1e5664-4250-459b-adbb-f0b33f64bf7e" ,
"value" : "Sysmon"
2018-02-28 16:16:28 +01:00
} ,
{
"description" : "Filter the numbers at phone routing level including PABX" ,
"meta" : {
2018-08-13 17:06:29 +02:00
"complexity" : "Low" ,
2018-02-28 16:16:28 +01:00
"effectiveness" : "Medium" ,
"impact" : "Medium" ,
2018-08-13 17:06:29 +02:00
"refs" : [
"https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
]
2018-02-28 16:16:28 +01:00
} ,
2018-08-13 17:06:29 +02:00
"uuid" : "123e20c5-8f44-4de5-a183-6890788e5a81" ,
"value" : "Blacklist-phone-numbers"
2018-02-28 16:16:28 +01:00
}
] ,
"version" : 3
}