Managing Blocker Rules
Learn how to effectively manage and navigate Blocker, ensuring smooth operation with improved security.
Table of Contents
AutoElevate's Blocker feature gives you the ability to block 200+ native Windows applications, binaries, and .dll files that are typically used as Living off the Land (LOTL) attack vectors. Fileless malware, malware-free, or Living Off The Land refer to cyberattack techniques where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack.
How does AutoElevate choose which processes are included in our block list?
We rely primarily on sources like Microsoft, community projects (such as the LOLBAS project), and our own research to keep the product to date.
Blocker is narrowly focused on “malware-free” aka “Living off the Land” attacks. These tend to exploit known applications and tools that have been in Windows for a very long time - a subset of which have been deprecated and only remain there for backwards compatibility.
This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11. Your agents must be on v2.8+ for this feature to be available.
Quick Start
- From the Computers screen select the computer(s) you are wanting to enable by clicking the square next to the listed computer name.
- Click on the Actions menu at the top of the screen, and then Set to Audit under the Blocker Mode section.
- Once enabled, we recommend keeping it in Audit mode for approximately 1 month or more to allow the agent to collect and analyze data and provide recommended rules.
- Recommended block rules can be found under the Blocker Recommendations screen of the portal. You have the option to VIEW APPLICATIONS for more information and ADD BLOCK RULES to automatically add the recommended rules.
- Once sufficient times has passed and the desired block rules have been created return to the Computers screen, select the computer(s), click on the Actions menu, and then Set to Live under the Blocker Mode section.
Enable with Script Deployment
Blocker can be enabled to a specific mode at script deployment by modifying the argument below. We recommend setting to Audit mode for immediate data collection and analysis.
BLOCKER_MODE="audit" (optional) – This can be set to live, audit, or disabled so that the Agent installer can override the current mode or be set to install in the mode of your choice automatically. Disabled mode is the default if this argument is not specified. If the script is performing an upgrade on an agent already installed, not specifying this argument will maintain the agent mode that is currently set.
These mode options are case-sensitive and should be in lowercase; otherwise, this command part will fail, and the agent will default to disabled mode.
Blocker Modes Defined
-
Disabled - The Agent's filter driver is not installed or is uninstalled if previously installed. As a result no Windows process is monitored in this state and no existing Blocker Rule is applied. Since Blocker is disabled there is no change in the user experience.
-
Audit - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent does not apply any defined Blocker Rules and, therefore, there is no change in the user experience.
- Live - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent blocks or allows Windows processes based on any defined Blocker Rules.
Creating Block Rules Manually
- Select the "+" icon from the Blocker Rules screen at the top of the page.
- Select the check box next to the Process Name for which you want to add a rule. For more information, you can click on the source link next to the Process Name that contains the recommendation on why you should block that process.
- From the Actions menu at the top, select Add Rule, choose Level, Location, and Computer as necessary, and then OK to confirm.
Creating Allow Rules
- From the Blocker Events screen, please select the event you want to convert into an allow rule by checking the box next to its name.
- Click on the Actions menu at the top of the screen and select Convert To Rule.
Using Process and Parent Process Identification Criteria Combinations
Allow rules can be set up to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to match. If a match is found when an event takes place, the AutoElevate Agent then carries out the defined action of Allowed. For the Rule to be applied to an event, it must match ALL of the selected identification criteria.
Process Identification Criteria
Process Identification Criteria can be selected in any combination of 4 options: File Name, File Path, Parent File Name, MD5/SHA256 Hashes. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can specify dynamic elements (* ? [a-z]).
-
File Name: The file name extracted from the path.
-
File Path: The full path of the file's location on the local machine, including the file's name. The agent will expand any Windows environment variables when processing the File Path. Click HERE for more information on Windows env vars.
- Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
- Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
-
Parent File Name: The parent file name extracted from the path.
-
MD5/SHA256 Hashes: The MD5/SHA256 hashes of the parent file.
Publisher Identification Criteria
Publisher Identification Criteria can be set to 1 of 2 options: Subject Elements or Certificate Hash.
-
Subject Elements: These are the different parts of the Subject distinguished name found in the publisher certificate. Any combination of elements can be selected. However, it's good to note that each software publisher can use many certificates. Targeting fewer subject elements will allow for a wider range of software matching the identification criteria selected.
-
Certificate Hash: This is the thumbprint of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means publishers need to get new certificates with new thumbprints frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued.
Where do we get the Publisher Identification Info?
You will see an expandable section of information about the publisher certificate along with the publisher options. This data is generated from the file examined on the local machine that the Event originated from.
Whether the file is marked as Verified or not depends on whether the certificate chain on the local machine was verified. Verified certs are where the certificate and/or its issuer are in the local certificate authority (CA) on the local machine and whether the Signing Time falls between the Valid From to Valid To time stamps.
The defined rules are encrypted and stored in a secure registry area at each check-in and will continue to work with or without connectivity to the Internet and/or our services.
Note
- A rule set at the lowest level, i.e. Computers, will take precedence over the rest, where there’s a hierarchy.
- An elevation approval will have an allowed exception to a blocked rule through the parent file. Running a blocked process directly will continue to be blocked even with an elevation approval.
- Blocker is temporarily disabled while Technician Mode is in use.
- Rules can be modified from the pencil icon or deleted from the trashcan icon.
- Rules can also be moved or copied to another level as well as deleted from the Actions menu.
- The Blocker Events screen will only record events triggered by a rule. All blocked events will be logged, while only one allowed event per rule will be recorded per day. To see all events on the local machine, you will need to enable Event Logging.
Security Note
Publisher certificate verification has been built into agent v2.4+ to ensure the safety and security of making rules based on publisher certificate criteria.
The AutoElevate rules engine does this verification, like most security tools do, using information from the local certificate authority store (CA) on each machine. Microsoft updates the local certificate authority stores. Security and mitigation of threats to the local certificate store on each machine strongly depend upon users only having standard user privileges.