Appendix 3:
Default Xcitium Security Policy Details
An EDR policy determines which events will generate an alert for you. Xcitium EDR ships with a default security policy containing seven event categories. The table below contains details of the default rules in each event category.
The built-in event categories are:
-
Process Events - Rules to generate alerts if an application causes an event.
-
Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.
-
File Events - Rules that detect modifications to any system files and folders.
-
Upload Events - Rules to alert you about file uploads to shared folders or external drives.
-
Defense+ Events - No default rules are set for this event category.
-
Network Events - No default rules are set for this event category.
|
Event Category - Process Events |
||
|---|---|---|
|
Event Type - Create Process |
||
|
Event Name |
Score |
Description |
|
Suspicious System Process Creation |
6 |
Process verdict is not safe AND file path matches %systemroot%* |
|
Remote Powershell Execution |
5 |
File path matches *wsmprovhost.exe |
|
Suspicious Powershell Flag |
5 |
Command line matches any of the following: *powershell*-NoP* *powershell*-Win* *powershell*-w* *powershell*-Exec* *powershell*-ex* *powershell*-ep* *powershell*-command* *powershell*-NoL* *powershell*-InputFormat* *powershell*-Enc* *powershell*-NonInteractive* *powershell*-nonI* *powershell*-file* |
|
Stop Service |
5 |
Command line matches %systemroot%system32net*stop* |
|
Run Untrusted Executable |
4 |
Verdict is not safe |
|
Suspicious Process Hierarchy |
3 |
Process path does not match *explorer.exe AND path matches *powershell.exe OR patch matches *cmd.exe |
|
Start Service |
2 |
Command line matches %systemroot%system32net*start* |
|
Event Category - Registry Events |
||
|---|---|---|
|
Event Type - Set Registry Value |
||
|
Event Name |
Score |
Description |
|
Disable User Account Control |
9 |
Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to EnableLUA0 AND registry value data is equal to 0. |
|
Disable Task Manager |
9 |
Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableTaskMgr AND registry value data is equal to 1 |
|
Installation of Drivers |
8 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to Type AND Registry value data is equal to 1 OR registry value data is equal to 2 |
|
Add Service to svchost |
7 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *svchost.exe* OR Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices*Parameters AND registry value name is equal to ServiceDll AND registry matches *.dll |
|
Add Active Setup Value In Registry |
7 |
Registry key path matches HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components* |
|
Modify Powershell Execution Policy |
7 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell AND registry value name is equal to ExecutionPolicy |
|
Modify Firewall Settings |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile* |
|
Disable Registry Editing Tool |
6 |
Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableRegistryTools AND registry value data is equal to 1. |
|
Modify AppInit_DLLs in Registry |
6 |
Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows AND registry value name is equal to AppInit_DLLs |
|
Add Service |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *.exe* AND registry value data doesn't match *svchost.exe* |
|
Layered Service Provider installation |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9Catalog_Entries* |
|
Add Autorun In Registry |
5 |
Registry key path matches any of the following: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsStartup* HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce* HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindows* HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsRun* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun* HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogoff* HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsShutdown* OR Registry key path equals any of the following: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce |
|
Booting Time Execution |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager AND registry value name is equal to BootExecute |
|
Disable Auto Update |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU AND registry value name is equal to NoAutoUpdate AND registry value data is equal to 1 OR Registry key path is equal to HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1 OR Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1 |
|
Disable Service |
5 |
Registry key path matches HKEY_LOCAL_MACHINESystemCurrentControlSetServices* AND registry value name is equal to Start AND registry value data is equal to 4 |
|
Create Explorer Entry |
5 |
Registry key path matches any of the following: HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter* HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler* HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerDesktopComponents* HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad* HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks* HKEY_CURRENT_USERSoftwareClasses*ShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClasses*ShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexDragDropHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexDragDropHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexPropertySheetHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexPropertySheetHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexCopyHookHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexCopyHookHandlers* HKEY_CURRENT_USERSoftwareClassesFolderShellexColumnHandlers* HKEY_LOCAL_MACHINESoftwareClassesFolderShellexColumnHandlers* HKEY_CURRENT_USERSoftwareClassesFolderShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesFolderShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryBackgroundShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers* HKEY_CURRENT_USERSoftwareMicrosoftCtfLangBarAddin* HKEY_LOCAL_MACHINESoftwareMicrosoftCtfLangBarAddin* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved* OR Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler |
|
Disable Windows Application |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun |
|
Disable Command Prompt |
5 |
Registry key path is equal to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem AND registry value name is equal to DisableCMD AND registry value data is equal to 2 |
|
Disable Show Hidden Files |
4 |
Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced AND registry value data is equal to 2 AND Registry value name is equal to Hidden OR registry value name is equal to ShowSuperHidden |
|
Share Folder |
4 |
Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverShares |
|
Addition of DNS Server |
3 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces* AND registry value name is equal to NameServer |
|
Modify Hosts File Registry |
3 |
Registry key path is equal HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters AND registry value name equal to DataBasePath |
|
Event Category - File Events |
||
|---|---|---|
|
Event Type - Write File |
||
|
Event Name |
Score |
Description |
|
Add Scheduled Task |
6 |
File path matches %systemroot%System32Tasks* OR %systemroot%Tasks* |
|
Write Fake System File |
6 |
File path matches *svch0st.exe OR *svhost.exe |
|
Write to System Directory |
5 |
File path matches %systemroot%* |
|
Add Startup File or Folder |
5 |
File path matches any of the following: %appdata%MicrosoftWindowsStart MenuProgramsStartup* %programdata%MicrosoftWindowsStart MenuProgramsStartup* %systemroot%systemiosubsys* %systemroot%systemvmm32* %systemroot%Tasks* OR File path equals any of the following: %systemdrive%autoexec.bat %systemdrive%config.sys %systemroot%wininit.ini %systemroot%winstart.bat %systemroot%win.ini %systemroot%system.ini %systemroot%dosstart.bat |
|
Modify Host File |
4 |
File path is equal to %systemroot%system32driversetchosts |
|
Write to Executable |
4 |
File type is equal to PORTABLE_EXECUTABLE AND Process path doesn't match *explorer.exe |
|
Write to Infectible File |
4 |
Process path doesn't match *iexplorer.exe AND File path matches any of the following: *.lnk *.wsf *.hta *.mhtml *.html *.doc *.docm *.xls *.xlsm *.ppt *.pptm *.chm *.vbs *.js *.bat *.pif *.jar *.sys |
|
Modify Group Policy Settings |
1 |
File path matches %systemroot%system32grouppolicy* OR %systemroot%Sysvolsysvol*Policies* |
|
Write to Program Files Directory |
1 |
File path matches %programfiles%* |
|
Event Category - Upload Events |
||
|---|---|---|
|
Event Type - File Copy to Shared Folder |
||
|
Event Name |
Score |
Description |
|
Write Executable to Shared Folder |
5 |
File type is equal to PORTABLE_EXECUTABLE |
|
Write Infectible to Shared Folder |
5 |
File path matches any of the following: *.lnk *.wsf *.hta *.mhtml *.html *.doc *.docm *.xls *.xlsm *.ppt *.pptm *.chm *.vbs *.js *.bat *.pif *.jar *.sys |
No default rules for this event category.
No default rules for this event category.
