This blog describes how McAfee ATP (Adaptive Threat Protection) rules are used within McAfee Endpoint Security products. It will help you understand how ATP Rules work and how you can utilize them to prevent infections from prevalent malware families such as Emotet, LemonDuck and PowerMiner. Please read through the recommendation section to effectively utilize rules in your environment.<\/p>\n
ATP rules are a form of Attack Surface reduction technology which detects suspicious use of OS features and applications. These rules target behaviors which are often abused by malware authors. There can be cases where legitimate applications utilize the same behavior and hence rules need to be configured based on the environment.<\/p>\n
ATP rules within McAfee Endpoint Security (ENS) 10.5.3 and above have already detected over a million pieces of malware since the start of 2020. This blog will show you how to enable ATP rules and explains why they should be enabled by highlighting some of the malware we detect with them. We\u2019ll also show you how to maximize detection capabilities by tweaking some specific settings.<\/p>\n
First, let\u2019s start with an overview. We release ATP rules in three types: Evaluate, DefaultOn and HighOn<\/strong>.<\/p>\n Evaluate<\/strong> rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity while not producing false positives. Once a rule has been in evaluate mode for a period of time, McAfee researchers will analyze its performance and either make modifications or promote it to DefaultOn or HighOn. ENS ATP customers connected to McAfee ePolicy Orchestrator (ePO) can manually change Evaluate rules to Enabled mode.<\/p>\n DefaultOn<\/strong> rules are created when McAfee has high confidence that no legitimate applications will be impacted. These rules are then enabled by default in all McAfee Endpoint Security rule groups.<\/p>\n HighOn <\/strong>rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules are set to Observe mode for systems in the \u201cBalanced\u201d rule group, but act as DefaultOn for systems in the \u201cSecurity\u201d rule group. Later in this blog, we cover how to change the rule group in Endpoint Security products to enable HighOn rules.<\/p>\n How to enable ATP rules in ENS 10.5.3 and above <\/strong><\/p>\n By default, many ATP rules are set to Observe mode. To enable these rules in an active-blocking mode, login to the ePO Console and go to Menu->Configuration->Server Settings.<\/p>\n Select\u00a0Adaptive Threat Protection<\/strong> and select the required rule group (Productivity<\/strong>,\u00a0Balanced<\/strong>, or\u00a0Security<\/strong>).<\/p>\n As seen in Figure 1, Rule 329 is in Observe mode in the Balanced rule group and, in Figure 2 below, you can see it is Enabled by default in Security rule group.<\/p>\n Note: As mentioned previously, we analyze rules from time to time and make modifications so you may have different settings in your environment, depending upon the content version.<\/p>\n \n To enable a rule click on Edit below the rules and Select the rule you would like to change, then select the desired state \u2013 Disabled, Enabled, or Observe. Figure 3. shows how we can change the state of Rule 256 which helps in detecting Emotet and Trickbot downloaders.<\/p>\n Click on Save and the rule should be enabled on the clients within a few minutes. Here you see that Rule 256 blocks malicious file JTI\/Suspect.131328 by default.<\/p>\n Change the assigned rule group to use HighOn rules in ENS 10.5.3 and above <\/strong><\/p>\n In this section, we will step through how you can change the rule group to \u201cSecurity\u201d which will enable all the HighOn rules in block mode by default. We recommend you check the logs to see if the HighOn rules have detected clean activity within your environments before changing to this rule group.<\/p>\n To change the rule group, login to the ePO console and go to Menu->Systems->System Tree<\/p>\n \n Select a group and go to the Assigned Policies tab. Select \u2018Endpoint Security Adaptive Threat Protection\u2019 from the product dropdown.<\/p>\n Click on \u2018My Default\u2019 policy under the \u2018Options\u2019 category.<\/p>\n Scroll down to Rule Assignment. From the Rule Assignment drop-down list, select Security<\/strong> and click Save. This will update all the clients with \u2018My Default\u2019 policy to the Security rule group.<\/p>\n Enable HighOn rules in MVISION Endpoint \u00a0<\/strong><\/p>\n To enable HighOn rules, MVISION Endpoint policy needs to be set to \u2018High Protection\u2019 if it is not already set by default. Follow these steps:<\/p>\n Login to the ePO console and go to Menu->Systems->System Tree<\/p>\n Select a group and go to the Assigned Policies tab. Select \u2018MVISION Endpoint\u2019 from the product dropdown.<\/p>\n Click on \u2018Edit Assignment\u2019 under General Category.<\/p>\n Change \u2018Inherit from\u2019 to \u2018Break Inheritance and assign the policy and settings below\u2019. Also, change the \u2018Assigned policy\u2019 to \u2018High Protection\u2019 from the dropdown list and click on \u2018Save\u2019. This will enable all the HighOn rules.<\/p>\n This section highlights three prevalent threats which ATP rules detect. We highlight one rule for each DefaultOn\/HighOn\/Evaluate to demonstrate the importance of monitoring rule updates and enabling more aggressive rules if they are suitable for your environment.<\/p>\n The PowerMiner malware is a cryptocurrency malware that has been prevalent since 2019. We have discussed this malware before in a previous blog on AMSI detection<\/a>. The purpose of PowerMiner is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once run, this batch file will execute a malicious PowerShell script that will then begin the infection process.<\/p>\n ATP DefaultOn Rule 263 \u201cDetect processes accessing suspicious URLs\u201d and Rule 262 \u201cIdentify suspicious command parameter execution for Security rule group assignments\u201d blocks this threat once PowerShell is executed by the Dropper.bat and it attempts to download the malicious PS1 file.<\/p>\n This is shown by the red cross in the flow chart above. As mentioned in the AMSI blog, this threat is also covered by our AMSI signatures but as we do with several threats, we have different forms of detection in case the malware authors modify their code to attempt to bypass one of them.<\/p>\n The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rules mentioned above.<\/p>\n LemonDuck, like PowerMiner, is a coin mining malware. It spreads via various methods such as the Eternal Blue exploit and Mimikatz. Once a machine has been infected, LemonDuck will create several scheduled tasks to download various components which include the coin mining functionality. The flow chart below shows the Lemon Duck infection process:<\/p>\n <\/p>\n ATP HighOn rule 329 \u201cIdentify and block suspicious usage of Scheduled Tasks in high change systems\u201d blocks LemonDuck at the schedule task creation stage. Again, like PowerMiner, McAfee also has an AMSI signature which detects this threat as LemonDuck!<partial_hash>.<\/p>\n The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rule mentioned above.<\/p>\n Emotet is a Trojan which is responsible for downloading and executing several high-profile malwares including Trickbot, which is turn has been known to download and execute the Ryuk ransomware. Emotet is usually downloaded and executed on the victim\u2019s machine by malicious documents which are sent out via email spam. The malicious document will use PowerShell to download the Emotet executable and execute it. The flow is shown below:<\/p>\n McAfee ATP rule 256 \u2018Detect use of long -encoded command PowerShell\u2019 and rule 264 \u2018Inspect EncodedCommand Powershell\u2019 will detect this behavior if enabled. This is not enabled by default as this behavior can be legitimate, so we recommend checking the detections in Evaluate mode and, if no false positives occur, then turning it on. This rule will also block other malware which performs the same activity as Trickbot. The IP Map below shows the detections Rule 256 has had between October 2019 and January 2020. This will include all threats detected by this rule, not just Emotet.<\/p>\n By now you are likely asking yourself which rules you should turn on. Firstly, it should be noted that enabling ATP Rules will have no performance impact however, as highlighted in the first section, they can sometimes cause false positives.<\/p>\n From the\u00a0collection of\u00a0ATP rules, we recommend\u00a0turning on\u00a0the \u2018Observe\u2019 mode<\/em> rules mentioned in this blog.<\/p>\n In addition to the rules mentioned for each threat, the\u00a0following rules can be turned to \u2018Enabled\u2019 mode from the EPO console as we described.\u00a0As mentioned, there is continuous evaluation of these rules by McAfee researchers which can result in rules moving to a different rule group or merging into other existing rules.<\/p>\n In general, we recommend looking through your ATP logs and checking to see if any \u2018Observe\u2019 mode rules are causing detections. If you find any rules that are not detecting legitimate use cases, we advise changing them to \u2018Enabled\u2019 mode.<\/p>\n We advise using ePO groups for a small number of machines and then monitor the changed environment for any false positives. If there are no false positives, you can then deploy the changes to a broader group.<\/p>\n KB Article KB82925<\/a> shows all the available ATP rules. You can also refer to the ATP Rules Release Notes which are updated when new rules are created, or existing ones are modified.<\/p>\n We hope that this blog has helped highlight how ATP rules protect your environment against a variety of threats and, by combining this technology with others like AMSI, we reinforce protection.<\/p>\n This blog continues a series which help showcase our technology, so we also recommend reading the following:<\/p>\n McAfee Protects against suspicious email attachments<\/a><\/p>\n McAfee AMSI integration protects against malicious scripts<\/a><\/p>\n Using Expert Rules in ENS to prevent malicious exploits<\/a><\/p>\nATP Rules in the Wild<\/h3>\n
PowerMiner (DefaultOn example)<\/strong><\/h4>\n
LemonDuck (HighOn example)<\/strong><\/h4>\n
Emotet Downloader (Evaluate example)<\/strong><\/h4>\n
Recommendations<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
Conclusion<\/h3>\n