mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,43 @@
|
||||
# Standards & References - Implementing Application Whitelisting with AppLocker
|
||||
|
||||
## Primary Standards
|
||||
|
||||
### NIST SP 800-167 - Guide to Application Whitelisting
|
||||
- **Publisher**: NIST
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-167/final
|
||||
- **Scope**: Comprehensive guidance on planning, implementing, and maintaining application whitelisting
|
||||
- **Key sections**: Technology overview, planning process, policy creation, maintenance operations
|
||||
|
||||
### ACSC Essential Eight - Application Control
|
||||
- **Publisher**: Australian Cyber Security Centre
|
||||
- **URL**: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
|
||||
- **Scope**: Application control is Mitigation Strategy #1 in the Essential Eight
|
||||
- **Maturity levels**: L1 (block executables in user profiles), L2 (block from all user-writable paths), L3 (Microsoft recommended block rules + WDAC)
|
||||
|
||||
### CIS Control 2 - Software Inventory and Control
|
||||
- **Publisher**: Center for Internet Security
|
||||
- **Relevance**: CIS Controls v8 Control 2 requires software allowlisting for authorized applications
|
||||
|
||||
## Compliance Mappings
|
||||
|
||||
| Framework | Requirement | AppLocker Coverage |
|
||||
|-----------|------------|-------------------|
|
||||
| PCI DSS 4.0 | 6.4.3 - Restrict active content | AppLocker script rules block unauthorized scripts |
|
||||
| NIST 800-53 | CM-7 - Least Functionality | AppLocker enforces minimum required software |
|
||||
| NIST 800-53 | CM-11 - User-Installed Software | AppLocker prevents unauthorized software installation |
|
||||
| NIST 800-171 | 3.4.8 - Application whitelisting | Direct requirement for application control |
|
||||
| ISO 27001 | A.12.5.1 - Installation of software on operational systems | AppLocker restricts installation capability |
|
||||
| HIPAA | 164.312(a)(1) - Access Control | Restricts executable access to authorized applications |
|
||||
|
||||
## Microsoft Documentation
|
||||
|
||||
- **AppLocker Overview**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview
|
||||
- **AppLocker Policies Design Guide**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide
|
||||
- **WDAC and AppLocker Feature Availability**: Comparison of capabilities between AppLocker and WDAC
|
||||
- **Microsoft Recommended Block Rules**: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol
|
||||
|
||||
## Supporting References
|
||||
|
||||
- **LOLBAS Project**: https://lolbas-project.github.io/ - Living Off The Land Binaries reference for deny rule creation
|
||||
- **AaronLocker (GitHub)**: Open-source toolkit for generating robust AppLocker policies
|
||||
- **UltimateAppLockerByPassList**: Security research on AppLocker bypass techniques for defense awareness
|
||||
@@ -0,0 +1,137 @@
|
||||
# Workflows - Implementing Application Whitelisting with AppLocker
|
||||
|
||||
## Workflow 1: Initial AppLocker Deployment
|
||||
|
||||
```
|
||||
[Application Inventory]
|
||||
│
|
||||
├── Scan reference endpoints for installed applications
|
||||
├── Catalog all approved software by publisher/path/hash
|
||||
├── Identify admin tools vs. standard user applications
|
||||
│
|
||||
▼
|
||||
[Policy Design]
|
||||
│
|
||||
├── Create default allow rules (Program Files, Windows)
|
||||
├── Create publisher rules for third-party vendors
|
||||
├── Create deny rules for LOLBins (standard users only)
|
||||
├── Create script control rules
|
||||
│
|
||||
▼
|
||||
[Audit Mode Deployment]
|
||||
│
|
||||
├── Deploy via GPO to pilot OU (Audit Only)
|
||||
├── Enable Application Identity service
|
||||
├── Monitor for 2-4 weeks
|
||||
│
|
||||
▼
|
||||
[Audit Log Analysis]
|
||||
│
|
||||
├── Export blocked events (8003, 8006)
|
||||
├── Identify legitimate applications being blocked
|
||||
│
|
||||
├── Blocked app is legitimate ──► [Create allow rule]
|
||||
│ │
|
||||
│ ▼
|
||||
│ [Re-audit 1 week]
|
||||
│
|
||||
└── All blocked apps are unauthorized ──► [Proceed to enforcement]
|
||||
│
|
||||
▼
|
||||
[Switch to Enforce mode (phased)]
|
||||
│
|
||||
├── Week 1: EXE rules
|
||||
├── Week 2: Script rules
|
||||
├── Week 3: MSI rules
|
||||
└── Week 4: DLL rules (optional)
|
||||
```
|
||||
|
||||
## Workflow 2: New Application Approval
|
||||
|
||||
```
|
||||
[User requests new application]
|
||||
│
|
||||
▼
|
||||
[Security review of application]
|
||||
│
|
||||
├── Is it signed by trusted publisher? ──► [Create publisher rule]
|
||||
│
|
||||
├── Unsigned but necessary? ──► [Create hash rule + document exception]
|
||||
│
|
||||
└── Fails security review ──► [Deny request, document reason]
|
||||
│
|
||||
▼
|
||||
[Add rule to AppLocker GPO]
|
||||
│
|
||||
▼
|
||||
[Deploy to pilot OU, verify no conflicts]
|
||||
│
|
||||
▼
|
||||
[Deploy to production OU]
|
||||
│
|
||||
▼
|
||||
[Update application inventory]
|
||||
```
|
||||
|
||||
## Workflow 3: AppLocker Bypass Incident Response
|
||||
|
||||
```
|
||||
[Detection: Unauthorized execution despite AppLocker]
|
||||
│
|
||||
▼
|
||||
[Identify bypass technique]
|
||||
│
|
||||
├── LOLBin not blocked ──► [Add deny rule for specific binary]
|
||||
│
|
||||
├── Execution from allowed path ──► [Restrict path rule scope]
|
||||
│
|
||||
├── Admin user bypass ──► [Evaluate WDAC migration for admin enforcement]
|
||||
│
|
||||
└── DLL side-loading ──► [Enable DLL rules or deploy WDAC]
|
||||
│
|
||||
▼
|
||||
[Update AppLocker policy with fix]
|
||||
│
|
||||
▼
|
||||
[Verify fix in audit mode on test endpoint]
|
||||
│
|
||||
▼
|
||||
[Deploy fix to production]
|
||||
│
|
||||
▼
|
||||
[Update threat model and rule documentation]
|
||||
```
|
||||
|
||||
## Workflow 4: AppLocker to WDAC Migration
|
||||
|
||||
```
|
||||
[Decision: Migrate from AppLocker to WDAC]
|
||||
│
|
||||
▼
|
||||
[Audit current AppLocker policy]
|
||||
│
|
||||
├── Export AppLocker rules as XML
|
||||
├── Identify rules that need WDAC equivalents
|
||||
│
|
||||
▼
|
||||
[Create WDAC policy using WDAC Wizard]
|
||||
│
|
||||
├── Convert publisher rules to WDAC signer rules
|
||||
├── Convert path rules to WDAC filepath rules
|
||||
├── Add Microsoft recommended block rules
|
||||
│
|
||||
▼
|
||||
[Deploy WDAC in Audit mode alongside AppLocker]
|
||||
│
|
||||
▼
|
||||
[Monitor WDAC audit events for 4 weeks]
|
||||
│
|
||||
▼
|
||||
[Resolve WDAC audit findings]
|
||||
│
|
||||
▼
|
||||
[Switch WDAC to Enforce mode]
|
||||
│
|
||||
▼
|
||||
[Disable AppLocker policy]
|
||||
```
|
||||
Reference in New Issue
Block a user