Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Microsoft Sysmon has added a feature to block the creation of EXE files
This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria such as file path, whether it matches specific hashes or brought about by certain executables.
Example : If you have a list of the hashes of a known malicious code, you can configure Sysmon to block the creation of executables that match that hash. Or if you want to prevent malicious Office attachments from spreading malicious code, you can stop creating executables from Word or Excel.
Blocking executable file creation in Sysmon
Sysmon, or System Monitor, is a free Microsoft Sysinternals tool that can monitor the system for malicious activity and log events to the Windows Event Log.
Sysmon will monitor basic events such as file creation and time changes by default to the Event viewer. However, it is possible to create a custom configuration file containing advanced options that define what Sysmon monitors or blocks.
The full list of directives in the Sysmon schema can be found by the user, which can be viewed by running the sysmon -s command in the command prompt.
The current Sysmon Schema is version 4.82, which now includes a "FileBlockExecutable" configuration option to block the creation of executables based on their path, name, hash, and the program trying to create the file as shown below. :
Microsoft Sysmon has added a feature to block the creation of EXE files Picture 1
Example : To prevent Microsoft Office applications from creating new executables, you can refer to the rule created by Olaf Hartong. The rule that you can see in the image below will block the creation of any executable using Excel, Word, PowerPoint, Outlook, Access or Publisher and write any event to the Event Log under the name "technique_id=T1105, technique_name=Ingress Tool Transfer."
Microsoft Sysmon has added a feature to block the creation of EXE files Picture 2
To start Sysmon and direct it to use the configuration file above, you will need to execute the command sysmon -i followed by the configuration file name.
In the example we are following, the name of the configuration file is msoffice-fileblock.xml, so we will use the following command from the Command Prompt (Admin) to start Sysmon:
sysmon -i msoffice-fileblock.xmlAfter booting, Sysmon will install its driver and start collecting data quietly in the background.
All Sysmon events will be logged to 'Applications and Services Logs/Microsoft/Windows/Sysmon/Operational' in the Event Viewer.
With FileBlockExecutable enabled, when the executable is created and matches the rule, Sysmon will block the file and create an "Event 27, Sysmon" in the Event Viewer.
Example: Here is an experiment with this feature to block the creation of executable files in the C: ProgramData folder, which is often the target of malicious code.
Microsoft Sysmon has added a feature to block the creation of EXE files Picture 3
Then when we try to copy C:Windowsnotepad.exe to C:ProgramData, the following event log appears when file creation is blocked.
Microsoft Sysmon has added a feature to block the creation of EXE files Picture 4
The entries in the created Event Log contain valuable information as explained below:
- ProcessID : The ID of the process trying to create the file.
- User: The user associated with the file creation.
- Image: The name of the program that created the file.
- TargetFilename: The file has been blocked from initialization.
- Hash: The SHA256 hash of the file being generated.
According to Hartong, Sysmon will determine if a file is an executable based on the file's header. Therefore, Sysmon will also block DLL and SYS executables when they use the same MZ file header.
If you want pre-made Sysmon configuration files that block known malware and hacking tools, you can download the file created by security researcher Florian Roth via the GitHub link.
There is a way to bypass the FileBlockExecutable feature
While this is a useful feature, don't consider it a 100% secure solution. After only a short time, security researcher Adam Chester found a way to bypass FileBlockExecutable.
Therefore, while it is useful to monitor and prevent malware, you should not consider FileBlockExecutable as the only protection.
Jessica TannerYou should read it
- Microsoft brings Sysmon tools to Linux
- Microsoft released Sysmon 10 with DNS query logging feature
- Operations with blocks in Excel
- Admire the robot model can transform itself as Transformer
- Google Chrome will block unsafe downloads on HTTPS websites
- How to use StopAd blocking ads on Windows
- Select blocks of text and manipulate blocks in Word
- Group in Word, group of image blocks in Word
- Google will block its services on non-certified devices
- TOP rarest blocks in Minecraft 1.18
- How to use uBlock Origin block ads on Edge Chromium
- How to Download, Install, and Use Code::Blocks
Technology
How secure is Microsoft OneDrive?- Top 6 Systems and Tools Manufacturers Need in 2022
- Is enterprise search good for your business? Learn more!
- 'Falling' before the culprit who hacked dozens of credit cards with a super algorithm developed by himself
- Microsoft warns of RCE vulnerability in Windows diagnostic tool
- Chromebooks can now warn users when connecting to an 'inappropriate' USB Type C cable
How secure is Microsoft OneDrive?
Top 6 Systems and Tools Manufacturers Need in 2022
Is enterprise search good for your business? Learn more!
'Falling' before the culprit who hacked dozens of credit cards with a super algorithm developed by himself
Microsoft warns of RCE vulnerability in Windows diagnostic tool
Chromebooks can now warn users when connecting to an 'inappropriate' USB Type C cable