Date: May 15, 2024, 4:23:01 AM
Date: Apr 13, 2021, 1:08:05 PM
Editor: Cedric
Name:
Name: Preventive Measure
Description:
Description: Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.
| t | 1 | {} | t | 1 | { |
| 2 | "authors": [ | ||||
| 3 | "Various" | ||||
| 4 | ], | ||||
| 5 | "label": "Preventive Measure", | ||||
| 6 | "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", | ||||
| 7 | "values": [ | ||||
| 8 | { | ||||
| 9 | "code": "Backup and Restore Process", | ||||
| 10 | "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.(Schrödinger's backup - it is both existent and non-existent until you've tried a restore", | ||||
| 11 | "importance": 0, | ||||
| 12 | "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" | ||||
| 13 | }, | ||||
| 14 | { | ||||
| 15 | "code": "Block Macros", | ||||
| 16 | "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:A.) Open downloaded documents in 'Protected View'B.) Open downloaded documents and block all macros", | ||||
| 17 | "importance": 0, | ||||
| 18 | "uuid": "79563662-8d92-4fd1-929a-9b8926a62685" | ||||
| 19 | }, | ||||
| 20 | { | ||||
| 21 | "code": "Disable WSH", | ||||
| 22 | "description": "Disable Windows Script Host", | ||||
| 23 | "importance": 0, | ||||
| 24 | "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" | ||||
| 25 | }, | ||||
| 26 | { | ||||
| 27 | "code": "Filter Attachments Level 1", | ||||
| 28 | "description": "Filter the following attachments on your mail gateway:.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub", | ||||
| 29 | "importance": 0, | ||||
| 30 | "uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92" | ||||
| 31 | }, | ||||
| 32 | { | ||||
| 33 | "code": "Filter Attachments Level 2", | ||||
| 34 | "description": "Filter the following attachments on your mail gateway:(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", | ||||
| 35 | "importance": 0, | ||||
| 36 | "uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687" | ||||
| 37 | }, | ||||
| 38 | { | ||||
| 39 | "code": "Restrict program execution", | ||||
| 40 | "description": "Block all program executions from the %LocalAppData% and %AppData% folder", | ||||
| 41 | "importance": 0, | ||||
| 42 | "uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74" | ||||
| 43 | }, | ||||
| 44 | { | ||||
| 45 | "code": "Show File Extensions", | ||||
| 46 | "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")", | ||||
| 47 | "importance": 0, | ||||
| 48 | "uuid": "5b911d46-66c8-4180-ab97-663a0868264e" | ||||
| 49 | }, | ||||
| 50 | { | ||||
| 51 | "code": "Enforce UAC Prompt", | ||||
| 52 | "description": "Enforce administrative users to confirm an action that requires elevated rights", | ||||
| 53 | "importance": 0, | ||||
| 54 | "uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11" | ||||
| 55 | }, | ||||
| 56 | { | ||||
| 57 | "code": "Remove Admin Privileges", | ||||
| 58 | "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", | ||||
| 59 | "importance": 0, | ||||
| 60 | "uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6" | ||||
| 61 | }, | ||||
| 62 | { | ||||
| 63 | "code": "Restrict Workstation Communication", | ||||
| 64 | "description": "Activate the Windows Firewall to restrict workstation to workstation communication", | ||||
| 65 | "importance": 0, | ||||
| 66 | "uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2" | ||||
| 67 | }, | ||||
| 68 | { | ||||
| 69 | "code": "Sandboxing Email Input", | ||||
| 70 | "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis", | ||||
| 71 | "importance": 0, | ||||
| 72 | "uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349" | ||||
| 73 | }, | ||||
| 74 | { | ||||
| 75 | "code": "Execution Prevention", | ||||
| 76 | "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus softwareFree: AntiHook, ProcessGuard, System Safety Monitor", | ||||
| 77 | "importance": 0, | ||||
| 78 | "uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c" | ||||
| 79 | }, | ||||
| 80 | { | ||||
| 81 | "code": "Change Default \"Open With\" to Notepad", | ||||
| 82 | "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", | ||||
| 83 | "importance": 0, | ||||
| 84 | "uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b" | ||||
| 85 | }, | ||||
| 86 | { | ||||
| 87 | "code": "File Screening", | ||||
| 88 | "description": "Server-side file screening with the help of File Server Resource Manager", | ||||
| 89 | "importance": 0, | ||||
| 90 | "uuid": "79769940-7cd2-4aaa-80da-b90c0372b898" | ||||
| 91 | }, | ||||
| 92 | { | ||||
| 93 | "code": "Restrict program execution #2", | ||||
| 94 | "description": "Block program executions (AppLocker)", | ||||
| 95 | "importance": 0, | ||||
| 96 | "uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098" | ||||
| 97 | }, | ||||
| 98 | { | ||||
| 99 | "code": "EMET", | ||||
| 100 | "description": "Detect and block exploitation techniques", | ||||
| 101 | "importance": 0, | ||||
| 102 | "uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6" | ||||
| 103 | }, | ||||
| 104 | { | ||||
| 105 | "code": "Sysmon", | ||||
| 106 | "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring", | ||||
| 107 | "importance": 0, | ||||
| 108 | "uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e" | ||||
| 109 | }, | ||||
| 110 | { | ||||
| 111 | "code": "Blacklist-phone-numbers", | ||||
| 112 | "description": "Filter the numbers at phone routing level including PABX", | ||||
| 113 | "importance": 0, | ||||
| 114 | "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81" | ||||
| 115 | }, | ||||
| 116 | { | ||||
| 117 | "code": "ACL", | ||||
| 118 | "description": "Restrict access to shares users should not be allowed to write to", | ||||
| 119 | "importance": 0, | ||||
| 120 | "uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765" | ||||
| 121 | } | ||||
| 122 | ], | ||||
| 123 | "version": 3 | ||||
| 124 | } |