Date: May 15, 2024, 4:23:01 AM
Date: Apr 13, 2021, 1:08:05 PM
Editor: Cedric
Name:
Name: Preventive Measure
Description:
Description: Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.
t | 1 | {} | t | 1 | { |
2 | "authors": [ | ||||
3 | "Various" | ||||
4 | ], | ||||
5 | "label": "Preventive Measure", | ||||
6 | "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", | ||||
7 | "values": [ | ||||
8 | { | ||||
9 | "code": "Backup and Restore Process", | ||||
10 | "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.(Schrödinger's backup - it is both existent and non-existent until you've tried a restore", | ||||
11 | "importance": 0, | ||||
12 | "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" | ||||
13 | }, | ||||
14 | { | ||||
15 | "code": "Block Macros", | ||||
16 | "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:A.) Open downloaded documents in 'Protected View'B.) Open downloaded documents and block all macros", | ||||
17 | "importance": 0, | ||||
18 | "uuid": "79563662-8d92-4fd1-929a-9b8926a62685" | ||||
19 | }, | ||||
20 | { | ||||
21 | "code": "Disable WSH", | ||||
22 | "description": "Disable Windows Script Host", | ||||
23 | "importance": 0, | ||||
24 | "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" | ||||
25 | }, | ||||
26 | { | ||||
27 | "code": "Filter Attachments Level 1", | ||||
28 | "description": "Filter the following attachments on your mail gateway:.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub", | ||||
29 | "importance": 0, | ||||
30 | "uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92" | ||||
31 | }, | ||||
32 | { | ||||
33 | "code": "Filter Attachments Level 2", | ||||
34 | "description": "Filter the following attachments on your mail gateway:(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", | ||||
35 | "importance": 0, | ||||
36 | "uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687" | ||||
37 | }, | ||||
38 | { | ||||
39 | "code": "Restrict program execution", | ||||
40 | "description": "Block all program executions from the %LocalAppData% and %AppData% folder", | ||||
41 | "importance": 0, | ||||
42 | "uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74" | ||||
43 | }, | ||||
44 | { | ||||
45 | "code": "Show File Extensions", | ||||
46 | "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")", | ||||
47 | "importance": 0, | ||||
48 | "uuid": "5b911d46-66c8-4180-ab97-663a0868264e" | ||||
49 | }, | ||||
50 | { | ||||
51 | "code": "Enforce UAC Prompt", | ||||
52 | "description": "Enforce administrative users to confirm an action that requires elevated rights", | ||||
53 | "importance": 0, | ||||
54 | "uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11" | ||||
55 | }, | ||||
56 | { | ||||
57 | "code": "Remove Admin Privileges", | ||||
58 | "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", | ||||
59 | "importance": 0, | ||||
60 | "uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6" | ||||
61 | }, | ||||
62 | { | ||||
63 | "code": "Restrict Workstation Communication", | ||||
64 | "description": "Activate the Windows Firewall to restrict workstation to workstation communication", | ||||
65 | "importance": 0, | ||||
66 | "uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2" | ||||
67 | }, | ||||
68 | { | ||||
69 | "code": "Sandboxing Email Input", | ||||
70 | "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis", | ||||
71 | "importance": 0, | ||||
72 | "uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349" | ||||
73 | }, | ||||
74 | { | ||||
75 | "code": "Execution Prevention", | ||||
76 | "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus softwareFree: AntiHook, ProcessGuard, System Safety Monitor", | ||||
77 | "importance": 0, | ||||
78 | "uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c" | ||||
79 | }, | ||||
80 | { | ||||
81 | "code": "Change Default \"Open With\" to Notepad", | ||||
82 | "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", | ||||
83 | "importance": 0, | ||||
84 | "uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b" | ||||
85 | }, | ||||
86 | { | ||||
87 | "code": "File Screening", | ||||
88 | "description": "Server-side file screening with the help of File Server Resource Manager", | ||||
89 | "importance": 0, | ||||
90 | "uuid": "79769940-7cd2-4aaa-80da-b90c0372b898" | ||||
91 | }, | ||||
92 | { | ||||
93 | "code": "Restrict program execution #2", | ||||
94 | "description": "Block program executions (AppLocker)", | ||||
95 | "importance": 0, | ||||
96 | "uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098" | ||||
97 | }, | ||||
98 | { | ||||
99 | "code": "EMET", | ||||
100 | "description": "Detect and block exploitation techniques", | ||||
101 | "importance": 0, | ||||
102 | "uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6" | ||||
103 | }, | ||||
104 | { | ||||
105 | "code": "Sysmon", | ||||
106 | "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring", | ||||
107 | "importance": 0, | ||||
108 | "uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e" | ||||
109 | }, | ||||
110 | { | ||||
111 | "code": "Blacklist-phone-numbers", | ||||
112 | "description": "Filter the numbers at phone routing level including PABX", | ||||
113 | "importance": 0, | ||||
114 | "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81" | ||||
115 | }, | ||||
116 | { | ||||
117 | "code": "ACL", | ||||
118 | "description": "Restrict access to shares users should not be allowed to write to", | ||||
119 | "importance": 0, | ||||
120 | "uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765" | ||||
121 | } | ||||
122 | ], | ||||
123 | "version": 3 | ||||
124 | } |