The ENS Expert Rule provided is a generic rule that covers a simple separation of group permissions:
- The groups that are allowed to run processes at the Administrator permission level (system and high permissions).
- The groups that aren't allowed to run processes at the Administrator permission level (medium and low permissions).
This simple model might not be sufficient to cover a more complex set of permissions in your environment.
If you find that certain users are blocked from creating junctions or other types of symbolic links, customize the Expert Rule to better fit your environment. To customize, you need to first determine which security groups the blocked user is in. Then, allow one or more of those groups to be excluded from the Expert Rule. When determining which groups need to have the permissions to create symbolic links, remember that the rule covers regular symbolic links, hard links, and junctions.
The blocked user must run the following command in a Windows command prompt to obtain the list of groups with SIDs:
whoami /groups
Examine the output of this command. Determine which group or groups are appropriate to have permissions to create symbolic links, in accordance with your corporate security policies. When you have the group SIDs that you want to allow to create symbolic links, add them one at a time to the Expert Rule. For example, if you wanted to add the SID "S-1-5-21-12345", it would look like this (addition shown in bold below):
Rule {
Process {
Include OBJECT_NAME { -v cmd.exe }
Include OBJECT_NAME { -v powershell.exe }
Include OBJECT_NAME { -v powershell_ise.exe }
# exclude admin groups
Exclude AggregateMatch {
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
Include GROUP_SID { -v "S-1-5-21-12345" }
}
}
Target {
Match FILE {
Include -access SET_REPARSE
}
}
}
NOTE: Signature 6165 (Malicious Behavior: Directory Junction attempt detected) was introduced in Exploit Prevention content. The Expert Rule in this article is a more generic signature and blocks symlink creation. Signature 6165 monitors specific activities by
cmd for detection and not only
symlink creation.