Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. Expert rules do not rely on User-Mode hooking; hence they have very minimal impact on a system’s performance. This blog is created as a basic guide to show our customers how to create them and which threats they can help block. Further detailed information can be found in the conclusion.
How Expert Rules work
The following sections show how to add Expert rules via EPO and ENS.
Adding an Expert Rule from EPO
1. Select System Tree | Subgroup (e.g.: ens_10.6.0) | Assigned Policies | Product (Endpoint Security Threat Prevention) | Exploit Prevention (My Default)
2. Navigate to Signatures and click on Add Expert Rule.
3. In the Rules section, complete the fields.
a. Select the severity and action for the rule. The severity provides information only; it has no select on the rule action.
b. Select the type of rule to create. The Rule content field is populated with the template for the selected type.
c. Change the template code to specify the behavior of the rule.
When you select a new class type, the code in the Rule content field is replaced with the corresponding template code. Endpoint Security assigns the ID number automatically, starting with 20000. Endpoint Security does not limit the number of Expert Rules you can create.
4. Save the rule, then save the settings.
5. Enforce the policy to a client system.
6. Validate the new Expert Rule on the client system.
Adding an Expert Rule directly at the Endpoint:
If we need to add an expert rule from EPO it will be pushed to all endpoints of an entire EPO “WORKGROUP”. There could be situations where expert rules are required to be applied in one/two systems or ENS systems which are not managed by EPO (non-corporate environment where ENS is installed from a standalone setup); in those cases, the expert rule must be added directly at the endpoint. Expert rules can be written and applied directly at the Endpoint system using McAfee Endpoint Security UI. Steps are below:
1. Open McAfee Endpoint Security. Go to Settings.
2. Go to Threat Prevention | Show Advanced.
3. Scroll Down to Expert Rule Section and then click on Add Expert Rule.
4. The expert rule compiler should pop up where an end user can directly write and compile expert rules and, upon compilation, enforce the rules to the system.
If there is no syntax error in the expert rule it can be applied in the system by clicking on the Enforce button. In case there is a syntax error, the details can be found in log file %ProgramData%\McAfee\Endpoint Security\Logs\ExploitPrevention_Debug.log
Testing the Rules
When new rules are created, they should first be tested in ‘Report’ mode so that the detections can be observed. When enough confidence in the rule has been gained, it can be turned to ‘Block’ mode.
Expert Rule Examples:
Basic Rule:
The following rule will detect an instance of cmd.exe creating any file at c:\temp. Please note that cmd.exe might be run by any user and from any part of the system.
Rule {
Process {
Include OBJECT_NAME { -v “cmd.exe” }
}
Target {
Match FILE {
Include OBJECT_NAME { -v “c:\\temp\\**” }
Include -access “CREATE”
}
}
}
Rules which target specific malicious behavior:
The following rules can be created to help block specific malicious activity which is performed by various malware families and attack techniques.
Expert Rule to Block Remote Process Injection [MITRE Technique Process Injection T1055]:
Rule {
Process {
Include OBJECT_NAME { -v “**” }
Exclude OBJECT_NAME { -v “SYSTEM” }
Exclude OBJECT_NAME { -v “%windir%\\System32\\WBEM\\WMIPRVSE.EXE” }
Exclude OBJECT_NAME { -v “%windir%\\System32\\CSRSS.EXE” }
Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }
Exclude OBJECT_NAME { -v “%windir%\\System32\\SERVICES.EXE” }
Exclude OBJECT_NAME { -v “*\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE” }
}
Target {
Match THREAD {
Include OBJECT_NAME { -v “**” }
Exclude OBJECT_NAME { -v “**\\MEMCOMPRESSION” }
Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }
Include -access “WRITE”
}
}
}
Expert Rule which prevents powershell.exe and powershell_ise.exe process from dumping credentials by accessing lsass.exe memory [ MITRE Technique Credential Dumping T1003 ]:
Rule {
Process {
Include OBJECT_NAME { -v “powershell.exe” }
Include OBJECT_NAME { -v “powershell_ise.exe” }
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v “lsass.exe” }
Include -nt_access “!0x10”
Exclude -nt_access “!0x400”
}
}
}
Expert Rule which prevents creation of a suspicious task (PowerShell script or batch file) using “SchTasks.exe” utility [MITRE Technique Scheduled Task T1053]:
Rule {
Process {
Include OBJECT_NAME { -v “SchTasks.exe” }
Include PROCESS_CMD_LINE { -v “*/Create*” }
}
Target {
Match PROCESS {
Include PROCESS_CMD_LINE { -v “**.bat**” }
}
Match PROCESS {
Include PROCESS_CMD_LINE { -v “**.ps1**” }
}
}
}
Expert Rule to prevent Start Up Entry Creation [ MITRE Technique Persistence T1060]:
Adversaries can use several techniques to maintain persistence through system reboots. One of the most popular techniques is creating entries in the Start Up folder. The following expert rule will prevent any process from creating files in the Start Up folder. Recently, the internet has witnessed a full-fledged exploit of a decade old WinRAR vulnerability (CVE-2018-20251) which can be exploited by dropping files in the Start Up directory. The following expert rule will also block such an attempt.
Rule {
Process {
Include OBJECT_NAME { -v ** }
}
Target {
Match FILE {
Include OBJECT_NAME { -v “**\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\**” }
Include -access “CREATE WRITE”
}
}
}
Expert Rule which blocks JavaScript Execution within Adobe Reader:
Exploiting a client-side software vulnerability to gain an initial foothold in a network is not new [MITRE Technique T1203]. Adobe Reader is a very popular target because, like any other browser, it supports JavaScript which makes exploitation much easier. The following expert rule can be deployed in any network to prevent Adobe Reader from executing any kind of JavaScript.
Rule {
Process {
Include OBJECT_NAME { -v “AcroRd32.exe”}
}
Target {
Match SECTION {
Include OBJECT_NAME { -v “EScript.api” }
}
}
}
The table below shows how the above four Expert Rules line up in the Mitre Att&ck matrix.
Conclusion
There are many more rules which can be created within Exploit Prevention (part of McAfee’s ENS Threat Prevention) and they can be customized depending on the customer’s environment and requirements. For example, the Expert Rule which blocks JavaScript Execution within Adobe Reader will be of no use if an organization does not use “Adobe Reader” software. To fully utilize this feature, we recommend our customers read the following guides:
https://kc.mcafee.com/corporate/index?page=content&id=KB89677
Disclaimer: The expert rules used here as examples can cause a significant number of False Positives in some environments, hence we recommend those rules to be explicitly applied only in an environment where better visibility of above (or similar) events at granular level is required.
Acknowledgement:
The author would like to thank following colleagues for their help and inputs authoring this blog.
- Oliver Devane
- Abhishek Karnik
- Cedric Cochin