In my last post, I mapped controls to stop a malicious doc calling out via Powershell. Im now going to cover how using the Windows firewall can stop the attack chain.">Windows firewall can be used to limit the application from making connections. In the attack chain, this means that the user got the malicious document, opened it, the macro ran, and the Powershell script failed to pull down additional malware.

">Powershell All Yes Block No %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any ">Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any ">cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile(,%TMP%\tom.exe">Exception calling DownloadFile with 2 argument(s): Unable to connect to the remote server">+ (New-Object System.Net.Webclient).DownloadFile(">+ CategoryInfo ">">If you want to allow local communication for these, then you have to turn on the Default Outgoing Policy and create Allow rules. ">A kind of work around is to block specific outbound ports. So you could block 80,443,and 8080 (see Below). Or better yet, you could block everything except the couple of ports you need (135,139,445). If you use Powershell just to call another application that then makes the connection, then you should be able to block everything.

">Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any TCP Any 443, 80, 8080 Any Any Any Any

">This process should work for wscript and cscript also.


Tom Webb


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

It is that time of year again. It is the holiday season with presents under the tree. Some of those presents are bound to be electronic. Whether they are PCs, Macs, cellular phones, gaming systems or one of the new electronic gadgets like Alexa/Google devices, digital frames, security cameras, and other wireless devices. These may open a security hole in your network. Each of these devices require a little thought about how they will affect your network.

The first thing that every network, whether home or work, should have is a good well configured firewall. Your firewall can protect unwanted advances to your critical network assets. With a strong password and all of the updates in place the firewall will be your first line of defense.

All of the other devices behind the firewall will get some protection. As the devices are added to your network you need to further secure your network by doing the Security updates from the vendors, using strong passwords and using appropriate security software and antivirus/anti-malware software. Make sure that any applications that you are using are getting updated as the manufacturer makes them available.

You can further protect your data by doing a backup of all of the critical data. Whether you use an offsite backup like Carbon Copy or IDrive, or an external device (hard drive or thumb drive) you need to protect your data. Backing up your machine regularly can protect you from the unexpected. Keep a few months worth of backups and make sure the files can be retrieved if needed.

One of the most important things to remember, use safe practices while online. There are so many exploits on the Internet thattry to trick you into falling into their trap. You need to protect yourself from these bad guys. Ignore unsolicited emails, and be wary of attachments, links and forms in emails that come from people you dont know and from people you do know thatseem phishy. Be careful what websites you visit. Avoid untrustworthy (often free) downloads from freeware or shareware sites. Social networking sites as well as a lot of the news sites have open compromises on their sites. Dont click on links or download software from these sites. Be careful when watching videos or other active content because they as well can contain hidden dangers.

I would like to hear from our readers. What tips do you have for this holiday season?

Deb Hale

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status