cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Buijspa
Level 7
Report Inappropriate Content
Message 1 of 12

McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hello,

our auditors recommend to activate the corresponding McAfee rules for the following Windows defender rules :

Block Office applications from creating child processes
Block Office applications from injecting code into other processes
Block Win32 API calls from Office macro
Block Office applications from creating executable content
Block execution of potentially obfuscated scripts
Block executable content from email client and webmail
Block JavaScript or VBScript from launching downloaded executable content

Could you please tell us the rules/features to activate in the McAfee product suite to obtain the same level of protection ?

Thanks for your help !

buijspa 

2 Solutions

Accepted Solutions

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

I think I can help you on this a bit...

First, enable rule 6197. That should cover "Block Office applications from injecting code into other processes"

Use GPO to stop non-admin users from creating folders on the root of C. 

From there, use the following... not a 1 to 1 match, but will give you the same or better coverage.  You will need to tune it a bit where I've noted tuning options:

 

Rule { 
    Process {
		
        Include AggregateMatch {
        	Include OBJECT_NAME { 	
				-v "excel.exe"	
				-v "winword.exe"
				-v "powerpnt.exe"
                -v "mspub.exe"
				-v "visio.exe"
				-v "eqnedt32.exe"
				-v "fltldr.exe"
			}
        }
    }	
                            
	Target {
		Match PROCESS {
		# Block LOLBINs
			Include AggregateMatch {
				Include OBJECT_NAME {
				-v "AppVLP.exe"
				-v "bash.exe"
				-v "certutil.exe"
				-v "cmd.exe"
				-v "cmstp.exe"
				-v "csc.exe"
				-v "cscript.exe"
				-v "curl.exe"
				-v "forfiles.exe"
				-v "installutil.exe"
				-v "mavinject.exe"
				-v "mftrace.exe"
				-v "microsoft.workflow.compiler.exe"
				-v "mofcomp.exe"
				-v "MpCmdRun.exe"
				-v "msbuild.exe"
				-v "mshta.exe"
				-v "msiexec.exe"
				-v "msxsl.exe"
				-v "Odbcconf.exe"
				-v "Pcalua.exe"
				-v "powershell.exe"
				-v "regasm.exe"
				-v "Register-cimprovider.exe"
				-v "regsvcs.exe"
				-v "regsvr32.exe"
				-v "schtasks.exe"
				-v "wmic.exe"
				-v "wscript.exe"
                -v "desktopimgdownldr.exe"
                -v "reg.exe"
                -v "finger.exe"
                -v "ttdinject.exe"
                -v "tttracer.exe"
			}
		}
        Include AggregateMatch {
            Include OBJECT_NAME { -v "rundll32.exe" }
            Exclude PROCESS_CMD_LINE { 
            		-v "**Exclude False Positive Command Lines**"
               	}
            }
			Include -access "CREATE"
		}
        #Block potentially dropped binaries
        Match FILE {
			Include OBJECT_NAME {
				-v "c:\\users\\**"
				-v "c:\\programdata\\**"
				-v "c:\\windows\\temp\\**"
			}
                            
			Exclude AggregateMatch {
				Include OBJECT_NAME {
					-v "**.dll"
					-v "Exclude False Positives Here by path"
				}
			}
			Exclude AggregateMatch {
				Include CERT_NAME { 
				  -v "Exclude False Positives here by Cert"
				}
			}
			Include VTP_TRUST false
			Include -access "EXECUTE" 
		}
              #Block WMI Access
	    Match FILE {
			Include OBJECT_NAME { -v "wbemdisp.tlb" }
			Include -access "READ" 	
		}
		
        #Block Executions proxied through Explorer
		Match PROCESS {
			Include OBJECT_NAME { -v "explorer.exe" }
			Include PROCESS_CMD_LINE { 
				-v "**c:\\users**"
				-v "**c:\\programdata**"
				-v "**c:\\windows\\**"
			}
			Include -access "CREATE"
		}
	}
}

 

View solution in original post

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

That is tricky..  I would be curious why they are doing that.  This MIGHT help, but I would make this a distinct rule because I'm not sure if you do the whole thing like this it will cover Excel 4.0 macros (it might, just don't know).

 

Rule { 
    Process {
		Include OBJECT_NAME { 	
			-v "excel.exe"	
			-v "winword.exe"
			-v "powerpnt.exe"
			-v "mspub.exe"
			-v "visio.exe"
		}
		Include DLL_LOADED -name "vbe" { -v 0x01 } 
		Include DLL_LOADED -name "vbe6" { -v 0x01 } 
		Include DLL_LOADED -name "vbe7" { -v 0x01 } 
    }	
                            
	Target {
		#Block WMI Access
	    Match FILE {
			Include OBJECT_NAME { -v "wbemdisp.tlb" }
			Include -access "READ" 	
		}
	}
}

View solution in original post

11 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hi @Buijspa,

Thank you for your post.

While we may not have a direct translation for the specified rules, You can go through the Exploit prevention policy of our ENS product to understand the various coverage we provide for the given rules. via Exploit Prevention Signatures.

Additionally, if you have any specific MITRE ATT&CK ID, we will be bale to pull out necessary information on signatures that are designed to protect you from those attacks.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Buijspa
Level 7
Report Inappropriate Content
Message 3 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hello Adithyan,

Thank you for your swift reply.

Actually, it is exactly why I ask this question : I cannot find the corresponding rules for these protections in the Exploit Prevention rules.

As an example, could you tell me which rules are able to :

  • Block Office applications from creating executable content
    and
  • Block JavaScript or VBScript from launching downloaded executable content

With these examples, I'm sure to understand how I could find rules for the other rules I need.

We saw recently an html mail attachment which contains a JavaScript which tries to download a Cobalt strike beacon, assure persistency by modifying registry keys in the user context and creates an ISO file on the local disk from a base64 payload (JS blob to file) inside the html file.  This ISO contains a legit (exploitable) signed DLL and some scripts extracted when the user was prompted to open the file.

Thanks for your help

Buijspa

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hi @Buijspa,

Thank you for your response. At this point of time, I do not have the rules that may directly translate into the requirement, although, I can think of a couple of ways to create one using access protection.

I am afraid It is best to have this looked into via a Support Request so that we can have our McAfee Labs team engaged to validate these for you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

I think I can help you on this a bit...

First, enable rule 6197. That should cover "Block Office applications from injecting code into other processes"

Use GPO to stop non-admin users from creating folders on the root of C. 

From there, use the following... not a 1 to 1 match, but will give you the same or better coverage.  You will need to tune it a bit where I've noted tuning options:

 

Rule { 
    Process {
		
        Include AggregateMatch {
        	Include OBJECT_NAME { 	
				-v "excel.exe"	
				-v "winword.exe"
				-v "powerpnt.exe"
                -v "mspub.exe"
				-v "visio.exe"
				-v "eqnedt32.exe"
				-v "fltldr.exe"
			}
        }
    }	
                            
	Target {
		Match PROCESS {
		# Block LOLBINs
			Include AggregateMatch {
				Include OBJECT_NAME {
				-v "AppVLP.exe"
				-v "bash.exe"
				-v "certutil.exe"
				-v "cmd.exe"
				-v "cmstp.exe"
				-v "csc.exe"
				-v "cscript.exe"
				-v "curl.exe"
				-v "forfiles.exe"
				-v "installutil.exe"
				-v "mavinject.exe"
				-v "mftrace.exe"
				-v "microsoft.workflow.compiler.exe"
				-v "mofcomp.exe"
				-v "MpCmdRun.exe"
				-v "msbuild.exe"
				-v "mshta.exe"
				-v "msiexec.exe"
				-v "msxsl.exe"
				-v "Odbcconf.exe"
				-v "Pcalua.exe"
				-v "powershell.exe"
				-v "regasm.exe"
				-v "Register-cimprovider.exe"
				-v "regsvcs.exe"
				-v "regsvr32.exe"
				-v "schtasks.exe"
				-v "wmic.exe"
				-v "wscript.exe"
                -v "desktopimgdownldr.exe"
                -v "reg.exe"
                -v "finger.exe"
                -v "ttdinject.exe"
                -v "tttracer.exe"
			}
		}
        Include AggregateMatch {
            Include OBJECT_NAME { -v "rundll32.exe" }
            Exclude PROCESS_CMD_LINE { 
            		-v "**Exclude False Positive Command Lines**"
               	}
            }
			Include -access "CREATE"
		}
        #Block potentially dropped binaries
        Match FILE {
			Include OBJECT_NAME {
				-v "c:\\users\\**"
				-v "c:\\programdata\\**"
				-v "c:\\windows\\temp\\**"
			}
                            
			Exclude AggregateMatch {
				Include OBJECT_NAME {
					-v "**.dll"
					-v "Exclude False Positives Here by path"
				}
			}
			Exclude AggregateMatch {
				Include CERT_NAME { 
				  -v "Exclude False Positives here by Cert"
				}
			}
			Include VTP_TRUST false
			Include -access "EXECUTE" 
		}
              #Block WMI Access
	    Match FILE {
			Include OBJECT_NAME { -v "wbemdisp.tlb" }
			Include -access "READ" 	
		}
		
        #Block Executions proxied through Explorer
		Match PROCESS {
			Include OBJECT_NAME { -v "explorer.exe" }
			Include PROCESS_CMD_LINE { 
				-v "**c:\\users**"
				-v "**c:\\programdata**"
				-v "**c:\\windows\\**"
			}
			Include -access "CREATE"
		}
	}
}

 

View solution in original post

Buijspa
Level 7
Report Inappropriate Content
Message 6 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution
Many thanks, once again Daveb3d !

Buijspa
Buijspa
Level 7
Report Inappropriate Content
Message 7 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hi Daveb3b,

I have a question concerning these lines :

#Block WMI Access
Match FILE {
Include OBJECT_NAME { -v "wbemdisp.tlb" }
Include -access "READ"
}
I receive many alerts generated by wbemdisp.tlb and I presume that the usage of wbemdisp.tlb by Winword.exe is correct.
How can I check/Exclude (there is nothing relevant in the Threat Event Log Information screen to filter)?
Is this something important to detect?

Thanks for your help!
Kind regards,
Buijspa

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

That is tricky..  I would be curious why they are doing that.  This MIGHT help, but I would make this a distinct rule because I'm not sure if you do the whole thing like this it will cover Excel 4.0 macros (it might, just don't know).

 

Rule { 
    Process {
		Include OBJECT_NAME { 	
			-v "excel.exe"	
			-v "winword.exe"
			-v "powerpnt.exe"
			-v "mspub.exe"
			-v "visio.exe"
		}
		Include DLL_LOADED -name "vbe" { -v 0x01 } 
		Include DLL_LOADED -name "vbe6" { -v 0x01 } 
		Include DLL_LOADED -name "vbe7" { -v 0x01 } 
    }	
                            
	Target {
		#Block WMI Access
	    Match FILE {
			Include OBJECT_NAME { -v "wbemdisp.tlb" }
			Include -access "READ" 	
		}
	}
}

View solution in original post

Buijspa
Level 7
Report Inappropriate Content
Message 9 of 12

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

Hi Dave,

I still catch events with this new ER.

Same as before.  If I understand correctly, this means that the Winword document uses VB script.

Is this correct?

Thanks,

Buijspa

Re: McAfee TP equivalent to MSFT Windows Defender rules

Jump to solution

The DLL_LOAD included ensures that VB is being used.  I was hoping somehow a plugin was doing something without VB, so to avoid a false positive.  I guess not.

You might want to just engage with those who are getting the FP and see if there is another way to approach what they are trying to do.  Over time, I have seen a few FPs and in some cases, security concerns overrodei the business need to do that.... we made them go back to the vendor or in one case I rewrote a macro to make it do what they needed without the FP.

Dave

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community