- Phishing - This technique uses spam, instant messaging, or text to deceive people into disclosing personal information. For example, credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Internet scammers use email bait to "phish" for passwords and financial data from internet users. Examples: Google Doc and DocuSign phishing campaigns, spear phishing, voice and SMS phishing, and ransomware phishing campaigns.
- Spam - An unwanted electronic message, most commonly unsolicited bulk email. Typically, spam is sent to multiple recipients who don't ask to receive it. Types include email spam, instant messaging spam, web search-engine spam, spam in blogs, and mobile phone-messaging spam. Spam includes legitimate advertisements, misleading advertisements, extortion attempts, and phishing messages designed to trick recipients into giving up personal and financial information. Examples: Ransomware spam campaigns, an exploit MIME delivery mechanism, and JS\Nemucod.
- Fake/malicious links - Malicious emails that contain links to malware downloads or to a website that mimics a real company's site. The emails mainly target financial sites, to steal private information (passwords, account numbers, and Social Security numbers). Examples: Spoofed websites and downloaders.
- Malicious attachments - Malicious attachments sent electronically, generally from an unknown source. Examples: DOC, PDF, JS, EXE, and XLS exploits and downloaders.
- Spoofing - Creation of emails sent to deceive the recipient, by delivering email from a forged/fake email address. Examples: All email vectors.
Countermeasures for entry vector threats
Technical Articles ID:
KB91836
Last Modified: 2023-10-19 10:03:18 Etc/GMT
Last Modified: 2023-10-19 10:03:18 Etc/GMT
Environment
Endpoint Security (ENS) 10.7, 10.6
Host Intrusion Prevention (Host IPS) 8.0
Security for Microsoft Exchange (SME) 8.x
VirusScan Enterprise (VSE) 8.8
Host Intrusion Prevention (Host IPS) 8.0
Security for Microsoft Exchange (SME) 8.x
VirusScan Enterprise (VSE) 8.8
Summary
Recent updates to this article
NOTE: Before you implement the recommendations below, you must test the rules thoroughly. Thorough testing ensures rule integrity. It also ensures that no legitimate application, in-house developed or otherwise, is deemed malicious and prevented from functioning in your production environment. The rules suggested can be set in report-only mode for testing purposes to check whether they cause any conflict in your environment. After you determine that the rules don't block any activity from legitimate applications, you can set the rules to block and apply these settings to all relevant systems.
Date | Update |
October 19, 2023 | Updated rule names in the "ENS Adaptive Threat Protection (ATP)" section. |
Endpoint protection products offer an array of features that you can use to stop malware. The features stop malware based on behavioral characteristics rather than relying solely on DATs. Downloaders, droppers, and phishing are typically the first stage for other malware. Preventing entry vector threats, in turn, prevents second stage and beyond threats from entering your environment.
NOTE: Before you implement the recommendations below, you must test the rules thoroughly. Thorough testing ensures rule integrity. It also ensures that no legitimate application, in-house developed or otherwise, is deemed malicious and prevented from functioning in your production environment. The rules suggested can be set in report-only mode for testing purposes to check whether they cause any conflict in your environment. After you determine that the rules don't block any activity from legitimate applications, you can set the rules to block and apply these settings to all relevant systems.
Solution
Below are the common entry vectors. Click the arrows to expand the section that you want to view:
Below are the countermeasures. Click to advance to the section that you want to view:
ENS Adaptive Threat Protection (ATP)
Enable or disable the settings for the rules below within the ePolicy Orchestrator (ePO) Server Settings under Adaptive Threat Protection. There are three different configurations: Productivity, Balanced, and Security. The changes made within Server Settings apply to rule group assignments in the ATP Options policy.
Back to top
ENS Dynamic Application Containment (DAC)
DAC is only triggered if the reputation for the process meets the reputation criteria defined in the ATP Options policy. When a process is contained by DAC, it's subject to post execution monitoring and any rules enabled within the DAC policy.
Back to top
ENS Threat Prevention Antimalware Scan Interface (AMSI)
Enable integration with AMSI. AMSI provides enhanced script scanning. AMSI is a generic interface standard that allows applications and services to integrate with Threat Prevention, providing better protection against malware. Microsoft provides AMSI. AMSI is supported on Windows 10 and Windows Server 2016 (and later) systems. Use AMSI to enhance scanning for threats in non-browser based scripts, such as PowerShell,WScript , and CScript .
Back to top
ENS Exploit Prevention
All signatures below are disabled by default.
ENS Exploit Prevention Expert Rules
Below is an enhanced expert-level rule for Exploit Prevention Rule ID 6107 "MS Word trying to execute unwanted programs" with added protection for threats that execute other programs. If you implement this Expert Rule, disable Exploit Prevention signature 6107.
Rule Name: "Prevent MS Office from executing unwanted programs (enhanced)"
Rule {
Process {
Include OBJECT_NAME { -v excel.exe }
Include OBJECT_NAME { -v powerpnt.exe }
Include OBJECT_NAME { -v winword.exe }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME { -v "excel.exe" }
Exclude OBJECT_NAME { -v "powerpnt.exe" }
Exclude OBJECT_NAME { -v "winword.exe" }
Exclude OBJECT_NAME { -v "splwow64.exe" }
Include -access "CREATE"
}
Match PROCESS {
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME { -v "excel.exe" }
Exclude OBJECT_NAME { -v "powerpnt.exe" }
Exclude OBJECT_NAME { -v "winword.exe" }
Exclude OBJECT_NAME { -v "splwow64.exe" }
#PROCESS_VM_WRITE
Include -nt_access "!0x0020"
}
}
}
Back to top
ENS Access Protection default rules
All rules below are disabled by default.
ENS Access Protection custom rules
Below are the details of four custom rules.
Custom Rule1:
Executable1:
Inclusion: Include
File Name or Path:winword.exe
Executable2:
Inclusion: Include
File Name or Path:excel.exe
Executable3:
Inclusion: Include
File Name or Path:eqnedt32.exe
SubRule1:
SubRule Type: Files
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:cmd.exe
SubRule2:
SubRule Type: Files
Operations: Execute
Target2:
Inclusion: Include
File, folder name, or file path:mshta.exe
SubRule3:
SubRule Type: Files
Operations: Execute
Target3:
Inclusion: Include
File, folder name, or file path:powershell.exe
Custom Rule2:
Executable1:
Inclusion: Include
File Name or Path:powershell.exe
Executable2:
Inclusion: Include
File Name or Path:cmd.exe
SubRule1:
SubRule Type: Files
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:SchTasks.exe
Custom Rule3:
Executable1:
Inclusion: Include
File Name or Path:?script.exe
SubRule1:
SubRule Type: Files
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:powershell.exe
NOTE: You can optionally modify Custom Rule3 to add VBS, DLL, BAT, JS, PS1, SCT, and DOC. The following target locations are for a mildly aggressive approach:
Custom Rule4:
Executable1:
Inclusion: Include
File Name or Path:winword.exe (A more aggressive approach is to use * as a single executable, making executables 2–4 unnecessary.)
Executable2:
Inclusion: Include
File Name or Path:excel.exe
Executable3:
Inclusion: Include
File Name or Path:?script.exe
Executable4:
Inclusion: Include
File Name or Path:powershell.exe
SubRule1:
SubRule Type: Files
Operations: Create and Execute
Target1:
Inclusion: Include
File, folder name, or file path:?:\users\*\*.exe
NOTE: The example rule depicts the more aggressive approach.
Custom Rule 5: Prevent execution ofpowershell.exe by wmiprvse.exe
NOTE: This rule prevents the ePO MER from running. You need to disable this rule on the target system when trying to run the ePO MER.
Executable1:
Inclusion: Include
File Name or Path:wmiprvse.exe
SubRule1:
SubRule Type: Files
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:powershell.exe
Back to top
ENS Firewall Rules
Below are the details of the Firewall Rules.
NOTE: Theexcel.exe process has also been added, but can't be seen without scrolling down.
You would also need to create appropriate allow lists based on legitimate traffic generated by these applications. For example, if you use Office 365 and restrict computers on your network from connecting to the internet, include the endpoints in your outbound allow lists. Inclusion on your outbound allow lists makes sure that your computers can successfully use Office 365. The endpoints are fully qualified domain names, ports, URLs, IPv4 address ranges, and IPv6 address ranges. They're described in this article on Office 365 URLs and IP address ranges.
Back to top
VSE Access Protection default rules
All rules below are disabled or set to report only by default.
VSE Access Protection custom rules
Below are the details of six custom rules.
Rule Type: File/Folder Blocking Rule
Process to include:winword.exe , excel.exe , eqnedt32.exe
File or folder name to block:cmd.exe
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:winword.exe , excel.exe , eqnedt32.exe
File or folder name to block:mshta.exe
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:winword.exe , excel.exe , eqnedt32.exe
File or folder name to block:powershell.exe
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:powershell.exe , cmd.exe
File or folder name to block:SchTasks.exe
File actions to prevent: Execute
- Browser exploits - Malware code that takes advantage of a flaw or vulnerability through the victim's web browser, to carry out some form of malicious intent. Examples: Chrome Zero-day, Jailbreak in Apple's iOS, Drive-By Download, Exploit kits, and I-frame injections.
- Browser/DNS redirect - A method used to direct someone or something to a different place than what was intended. Cybercriminals can route a legitimate website's traffic to a counterfeit website. Examples: JS\Redirectors, DNS\Changer, and Browser Hijackers.
- Malware hosting websites - Malicious websites that try to install malware or other unwanted programs on your system. These websites are considered dangerous because they exploit browser vulnerabilities or send spyware and other unwanted software to users. Examples:
Malvertising , botnet networks, andBlacole . - Direct access, removable media infected devices - Malware that has effectively used removable media to eliminate the physical gap between the internet and internal networks. Examples:
Stuxnet , BadUSB, and Autoruns.
- Social engineering - The act of manipulating people into performing actions or divulging confidential information. It relies on human interactions, such as trying to gain the confidence of someone through trickery or deception for information gathering, fraud, or computer system access. It can take many forms, both online and offline. Social engineering techniques, commonly cross into other vectors such as phishing (email), redirects (web), and
vishing (phone/other). Examples: Spear phishing,quid pro quo , and pretexting. - Rogue hacking - A defiant person or group who uses computers to gain unauthorized access to data or networks to commit illegal acts. Rogue hacking encompasses most vectors for hacktivism, notoriety, or financial gain.
Below are the countermeasures. Click to advance to the section that you want to view:
- ENS Adaptive Threat Protection (ATP)
- ENS Dynamic Application Containment (DAC)
- ENS Threat Prevention Antimalware Scan Interface (AMSI)
- ENS Exploit Prevention
- ENS Exploit Prevention Expert Rules
- ENS Access Protection default rules
- ENS Access Protection custom rules
- ENS Firewall Rules
- VSE Access Protection default rules
- VSE Access Protection custom rules
- Host IPS signatures
- SME antispam and on-access scan policies
- More user recommendations
ENS Adaptive Threat Protection (ATP)
Enable or disable the settings for the rules below within the ePolicy Orchestrator (ePO) Server Settings under Adaptive Threat Protection. There are three different configurations: Productivity, Balanced, and Security. The changes made within Server Settings apply to rule group assignments in the ATP Options policy.
Rule name | Rule ID number | Default status |
Rule ID 2 | Enabled by default | |
Rule ID 4 | Enabled by default | |
Rule ID 5 | Enabled by default | |
Rule ID 208 | Enabled by default | |
Rule ID 239 | Enabled by default | |
Rule ID 251 | Observe by default | |
Rule ID 255 | Observe by default | |
Rule ID 256 | Observe by default | |
Rule ID 257 | Enabled by default | |
Rule ID 260 | Observe by default | |
Rule ID 263 | Enabled by default | |
Rule ID 269 | Observe by default | |
Prevent office applications from launching child processes that can execute script commands | Rule ID 300 | Enabled by default |
Blocks common process'es like cmd.exe from being spawned by office applications in suspicious manner |
Rule ID 301 | Observe by default |
Rule ID 304 | Observe by default | |
Rule ID 307 | Observe by default | |
Block processes attempting to launch from office applications | Rule ID 309 | Enabled only in high security policies |
Prevent mshta from being launched by any process for all rule group assignments | Rule ID 322 | Enabled by default |
Rule ID 323 | Observe by default | |
Rule ID 325 | Enabled by default |
Back to top
ENS Dynamic Application Containment (DAC)
DAC is only triggered if the reputation for the process meets the reputation criteria defined in the ATP Options policy. When a process is contained by DAC, it's subject to post execution monitoring and any rules enabled within the DAC policy.
- Rule:
Allocating memory in another process - Rule:
Creating a thread in another process - Rule:
Creating files with the .bat extension - Rule:
Creating files with the .exe extension - Rule:
Creating files with the .job extension - Rule:
Creating files with the .vbs extension - Rule:
Deleting files commonly targeted by ransomware-class malware - Rule:
Executing any child process - Rule:
Modifying portable executable files - Rule:
Modifying the hidden attribute bit - Rule:
Modifying the Services registry location - Rule:
Modifying user policies - Rule:
Modifying startup registry locations - Rule:
Reading from another process' memory - Rule:
Suspending a process - Rule:
Terminating another process - Rule:
Writing to another process' memory - Rule:
Writing to files commonly targeted by ransomware-class malware - Rule:
Modifying the Windows Firewall policy
Back to top
ENS Threat Prevention Antimalware Scan Interface (AMSI)
Enable integration with AMSI. AMSI provides enhanced script scanning. AMSI is a generic interface standard that allows applications and services to integrate with Threat Prevention, providing better protection against malware. Microsoft provides AMSI. AMSI is supported on Windows 10 and Windows Server 2016 (and later) systems. Use AMSI to enhance scanning for threats in non-browser based scripts, such as PowerShell,
Back to top
ENS Exploit Prevention
All signatures below are disabled by default.
344: New Startup Program Creation 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability 6073: Execution Policy Bypass in PowerShell 6075: Remote script execution by core windows utility 6087: PowerShell Command Restriction - EncodedCommand 6105: Windows Script Command Restriction - Batch Mode 6107: MS Word trying to execute unwanted programs 6108: PowerShell - Suspicious download string script execution 6109: PowerShell - Suspicious wmi script execution 6112: MS Outlook trying to execute unwanted programs 6113: Fileless Threat: Reflective Self Injection 6114: Fileless Threat: Reflective EXE Self Injection 6121: Fileless Threat: Shellcode Self Injection 6125: Java Remote Shellcode Injection 6131: Weaponized OLE object infection via WMI 6153: Malware Behavior: Ryuk Ransomware activity detected 6163: Suspicious Behavior: Malicious Shellcode Injection Detected 6207: ASR : File Download attempt by Scripts 6217: Execution Policy Bypass in PWSH 6224: PWSH Command Restriction – EncodedCommand 8003: Fileless Threat: Suspicious PowerShell Behavior Detected 8004: Fileless Threat: Malicious PowerShell Behavior Detected
ENS Exploit Prevention Expert Rules
Below is an enhanced expert-level rule for Exploit Prevention Rule ID 6107 "
Process {
Include OBJECT_NAME { -v excel.exe }
Include OBJECT_NAME { -v powerpnt.exe }
Include OBJECT_NAME { -v winword.exe }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME { -v "excel.exe" }
Exclude OBJECT_NAME { -v "powerpnt.exe" }
Exclude OBJECT_NAME { -v "winword.exe" }
Exclude OBJECT_NAME { -v "splwow64.exe" }
Include -access "CREATE"
}
Match PROCESS {
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME { -v "excel.exe" }
Exclude OBJECT_NAME { -v "powerpnt.exe" }
Exclude OBJECT_NAME { -v "winword.exe" }
Exclude OBJECT_NAME { -v "splwow64.exe" }
#PROCESS_VM_WRITE
Include -nt_access "!0x0020"
}
}
}
Back to top
ENS Access Protection default rules
All rules below are disabled by default.
- Rule:
Creating new executable files in the Windows folder - Rule:
Creating new executable file in the programs files folder - Rule:
Prevent CScript.exe or WScript.exe from creating files in Windows temp directory, its subfolders, and common user folder - Rule:
Registering of programs to autorun - Rule:
Executing mimikatz malware - Rule:
Browsers launching programs from downloaded programs file folders - Rule:
Executing scripts by windows script host
ENS Access Protection custom rules
Below are the details of four custom rules.
Custom Rule1:
Executable1:
Inclusion: Include
File Name or Path:
Executable2:
Inclusion: Include
File Name or Path:
Executable3:
Inclusion: Include
File Name or Path:
SubRule1:
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:
SubRule2:
Operations: Execute
Target2:
Inclusion: Include
File, folder name, or file path:
SubRule3:
Operations: Execute
Target3:
Inclusion: Include
File, folder name, or file path:
Custom Rule2:
Executable1:
Inclusion: Include
File Name or Path:
Executable2:
Inclusion: Include
File Name or Path:
SubRule1:
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:
Custom Rule3:
Executable1:
Inclusion: Include
File Name or Path:
SubRule1:
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:
NOTE: You can optionally modify Custom Rule3 to add VBS, DLL, BAT, JS, PS1, SCT, and DOC. The following target locations are for a mildly aggressive approach:
?:\programdata\*\*.exe ?:\users\Public\*.exe ?:\users\*\appdata\local\temp\*\*.exe ?:\users\*\appdata\roaming\*.exe
Custom Rule4:
Executable1:
Inclusion: Include
File Name or Path:
Executable2:
Inclusion: Include
File Name or Path:
Executable3:
Inclusion: Include
File Name or Path:
Executable4:
Inclusion: Include
File Name or Path:
SubRule1:
Operations: Create and Execute
Target1:
Inclusion: Include
File, folder name, or file path:
NOTE: The example rule depicts the more aggressive approach.
Custom Rule 5: Prevent execution of
NOTE: This rule prevents the ePO MER from running. You need to disable this rule on the target system when trying to run the ePO MER.
Executable1:
Inclusion: Include
File Name or Path:
SubRule1:
Operations: Execute
Target1:
Inclusion: Include
File, folder name, or file path:
Back to top
ENS Firewall Rules
Below are the details of the Firewall Rules.
- Executable1:
powershell.exe - Executable2:
?script.exe - Executable3:
winword.exe - Executable4:
excel.exe
NOTE: The
You would also need to create appropriate allow lists based on legitimate traffic generated by these applications. For example, if you use Office 365 and restrict computers on your network from connecting to the internet, include the endpoints in your outbound allow lists. Inclusion on your outbound allow lists makes sure that your computers can successfully use Office 365. The endpoints are fully qualified domain names, ports, URLs, IPv4 address ranges, and IPv6 address ranges. They're described in this article on Office 365 URLs and IP address ranges.
Back to top
VSE Access Protection default rules
All rules below are disabled or set to report only by default.
- Rule:
Anti-spyware Maximum Protection: Prevent execution of scripts from the Temp folder - Rule:
Anti-virus Maximum Protection: Preventsvchost executing non-Windows executables - Rule:
Common Maximum Protection: Prevent creation of new executable files in the Windows folder - Rule:
Common Maximum Protection: Prevent programs registering as a service
VSE Access Protection custom rules
Below are the details of six custom rules.
Rule Type: File/Folder Blocking Rule
Process to include:
File or folder name to block:
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:
File or folder name to block:
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:
File or folder name to block:
File actions to prevent: Execute
Rule Type: File/Folder Blocking Rule
Process to include:
File or folder name to block:
File actions to prevent: Execute