WNDF-AV-000048 - Microsoft Defender AV must block persistence through WMI event subscription.

800-53|SC-18(4)

CAT|II

CCI|CCI-001170

Rule-ID|SV-278652r1144042_rule

STIG-ID|WNDF-AV-000048

Vuln-ID|V-278652

Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.

undefined|

DISA Severity Level 1

Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

DISA Severity Level 2

Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

DISA Severity Level 3

CAT - DISA Severity Level

The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Disseminate the organization-level; mission/business process-level; and/or system-level access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.

Review and update the current access control policy for organization-defined frequency.

The organization develops procedures to facilitate the implementation of the access control policy and associated access controls.

Disseminate procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level access control policy and associated access controls to the organization-defined personnel or roles.

Review and update the current access control procedures for organization-defined frequency.

The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary).

The organization establishes conditions for group membership.

The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.

Require approvals by organization-defined personnel or roles for requests to create accounts.

Create, enable, modify, disable, and remove system accounts in accordance with organization-defined procedures.

Review accounts for compliance with account management requirements per organization-defined frequency.

The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.

The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.

Support the management of system accounts using (organization-defined automated mechanisms).

Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.

Disable accounts when the accounts have been inactive for the organization-defined time-period.

Automatically audit account creation actions.

Require that users log out in accordance with the organization-defined time-period of expected inactivity or description of when to log out.

The information system dynamically manages user privileges and associated access authorizations.

Enforce dual authorization for organization-defined privileged commands and/or other organization-defined actions.

The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.

The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended.

Prevent access to organization-defined security-relevant information except during secure, non-operable system states.

The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.

Use protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.

Enforce organization-defined information flow control policies.

Prevent encrypted information from bypassing organization-defined flow control mechanisms by employing organization-defined procedures or methods.

Enforce organization-defined limitations on embedding data types within other data types.

Enforce information flow control based on organization-defined metadata.

Enforce one-way information flows using hardware-based flow control mechanisms.

Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.

Provide the capability for privileged administrators to enable and disable organization-defined security or privacy filters under organization-defined conditions.

Provide the capability for privileged administrators to configure the organization-defined security or privacy policy filters to support different security or privacy policies.

The organization separates organization-defined duties of individuals.

The organization implements separation of duties through assigned information system access authorizations.

The organization explicitly authorizes access to organization-defined security functions and security-relevant information.

Require that users of system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts or roles, when accessing nonsecurity functions.

The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.

Authorize network access to organization-defined privileged commands only for organization-defined compelling operational needs.

Document the rationale for authorized network access to organization-defined privileged commands in the security plan for the system.

Defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.

Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.

The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts.

The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

The organization approves the information system use notification message before its use.

Notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

Notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.

Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.

Defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

The information system initiates a session lock after the organization-defined time period of inactivity.

The information system provides the capability for users to directly initiate session lock mechanisms.

Defines the time-period of inactivity after which the system initiates a device lock.

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Identify organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational missions/business functions.

The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.

The organization defines allowed methods of remote access to the information system.

The organization establishes usage restrictions and implementation guidance for each allowed remote access method.

Authorize remote access to the system prior to allowing such connections.

The organization enforces requirements for remote connections to the information system.

Employ automated mechanisms to monitor remote access methods.

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

Route all remote accesses through authorized and managed network access control points.

Authorize the execution of privileged commands via remote access only in a format that provides assessable evidence for organization-defined needs.

The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.

Protect information about remote access mechanisms from unauthorized use and disclosure.

Develop an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

Develop an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

Review and update the organization-wide information security program plan on an organization-defined frequency.

Defines the frequency with which to review and update the organization-wide information security program plan.

The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.

Appoint a Senior Information Security Officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures.

Include the resources needed to implement the information security programs in capital planning and investment requests and document all exceptions to this requirement.

The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.

The organization establishes usage restrictions for organization-controlled mobile devices.

Establish implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas.

Authorize connection of mobile devices to organizational systems.

The organization monitors for unauthorized connections of mobile devices to organizational information systems.

The organization enforces requirements for the connection of mobile devices to organizational information systems.

The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

The organization restricts the use of writable, removable media in organizational information systems.

The organization prohibits the use of personally-owned, removable media in organizational information systems.

The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.

Establish organization-defined terms and conditions, and/or identify organization-defined controls asserted to be implemented on external systems, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from the external systems.

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems.

The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.

The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system.

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

Enable authorized users to determine whether access authorizations assigned to the sharing partner match the information's access and use restrictions for organization-defined information sharing circumstances where user discretion is required.

Employ organization-defined automated mechanisms to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

Develop and document an organization level, mission/business process-level, or system-level awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI - DISA Control Correlation Identifier

Inventory of Authorized and Unauthorized Devices

Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization's public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

Deploy an automated asset inventory discovery tool.

If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems.

Deploy dynamic host configuration protocol (DHCP) server logging.

Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.

Ensure that all equipment acquisitions automatically update the inventory system.

Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc.  The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization's network.

Maintain an asset inventory of all systems connected to the network and the network devices themselves.

Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network.  The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.

Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network.

Use client certificates to validate and authenticate systems prior to connecting to the private network.

Inventory of Authorized and Unauthorized Software

Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses.  This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.

Devise a list of authorized software and version that is required in the enterprise for each type of system.

Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.

Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist.

Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The software inventory systems must be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

Deploy software inventory tools throughout the organization covering each of the operating system types in use.

Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment. 

Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations.

Secure Configurations for Hardware and Software

Establish standard secure configurations of  operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.

Establish standard secure configurations of  operating systems and software applications.

Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.  Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the organization's change management processes.  Images should be created for workstations, servers, and other system types used by the organization.

Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.

Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network.

Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible.

Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC.

Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels.

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).

Use file integrity checking tools to ensure that critical system files have not been altered.

Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur. This includes detecting new listening ports, new administrative users, changes to group and local policy objects (where applicable), and new services running on a system. Whenever possible use tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline reporting and integration.

Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. They should be capable of triggering redeployment of configuration settings on a scheduled, manual, or event-driven basis.

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.

Continuous Vulnerability Assessment and Remediation

Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk.  Use a SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by the Common Configuration Enumeration Project).

Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis.

Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable.

Correlate event logs with information from vulnerability scans.

Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested. Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.  Ensure that only authorized employees have access to the vulnerability management user interface and that roles are applied to each user.

Perform vulnerability scanning in authenticated mode.

Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization's vulnerability scanning activities on at least a monthly basis.  Alternatively, ensure that the vulnerability scanning tools you use are regularly updated with all relevant important security vulnerabilities.

Subscribe to vulnerability intelligence services.

Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe.  Patches should be applied to all systems, even systems that are properly air gapped.

Deploy automated patch management tools and software update tools.

Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans.  

Monitor logs associated with any scanning activity.

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed, either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk. Such acceptance of business risks for existing vulnerabilities should be periodically reviewed to determine if newer compensating controls or subsequent patches can address vulnerabilities that were previously accepted, or if conditions have changed, increasing the risk.

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed.

Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops).  Apply patches for the riskiest vulnerabilities first.  A phased rollout can be used to minimize the impact to the organization. Establish expected patching timelines based on the risk rating level. 

Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability.

Controlled Use of Administrative Privileges

Minimize administrative privileges and only use administrative accounts when they are required.  Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.

Minimize administrative privileges and only use administrative accounts when they are required.

Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.

Use automated tools to inventory all administrative accounts.

Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts.

Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems.

Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators' group, or when a new local administrator account is added on a system.

Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.

Use multi-factor authentication for all administrative access, including domain administrative access.  Multi-factor authentication can include a variety of techniques, to include the use of smart cards,certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods.

Use multi-factor authentication for all administrative access, including domain administrative access.

Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters). 

Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged on to the machine without administrative privileges, the administrator should transition to administrative privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.

Administrators should be required to access a system using a fully logged and non-administrative account.

Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.

Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access.

Maintenance, Monitoring, and Analysis of Audit Logs

Include at least two synchronized time sources from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent.

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Validate audit log settings for each hardware device and the software installed on it.

Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals.  The logs must be archived and digitally signed on a periodic basis.

Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis.

Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.

Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs.

Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device.

Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.  Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. 

Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.

Email and Web Browser Protections

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers provided by the vendor in order to take advantage of the latest security functions and fixes.

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization.

Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the use of the application for pre-approved domains.

Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications.

Limit the use of unnecessary scripting languages in all web browsers and email clients. This includes the use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities.

Detections

Analytics

WNDF-AV-000048 - Microsoft Defender AV must block persistence through WMI event subscription.

Information

Solution

See Also

Item Details