npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Hardening a Windows Active Directory environment against ransomware execution and propagation
- Implementing defense-in-depth by blocking ransomware execution paths via Group Policy
- Configuring AppLocker or WDAC rules to prevent unauthorized executables from running in user-writable directories
- Enabling Controlled Folder Access to protect critical directories from unauthorized file modifications
- Restricting lateral movement vectors (RDP, SMB, WMI) that ransomware uses to spread across the domain
Do not use as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training.
Prerequisites
- Windows Server 2016+ Active Directory environment with Group Policy Management Console (GPMC)
- Domain Admin or Group Policy Creator Owners privileges
- Windows 10/11 Enterprise or Education (required for AppLocker and WDAC)
- Microsoft Defender Antivirus enabled (required for Controlled Folder Access and ASR rules)
- Python 3.8+ for audit script that validates GPO compliance
- Test OU for validating GPO settings before domain-wide deployment
Workflow
Step 1: Block Ransomware Execution Paths with AppLocker
Configure AppLocker to prevent executables from running in common ransomware staging locations:
AppLocker GPO Path:
Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker
Key Rules:
━━━━━━━━━
1. DENY executable rules for user-writable paths:
- %USERPROFILE%\AppData\Local\Temp\* (email attachment extraction)
- %USERPROFILE%\AppData\Roaming\* (CryptoLocker staging)
- %USERPROFILE%\Downloads\* (web downloads)
- %TEMP%\* (temporary extraction)
- %USERPROFILE%\Desktop\* (social engineering drops)
2. ALLOW default rules:
- C:\Windows\* (signed by Microsoft)
- C:\Program Files\* and C:\Program Files (x86)\*
- Administrator group: all paths
3. Enable Application Identity service:
Computer Configuration → Policies → Windows Settings →
Security Settings → System Services →
Application Identity → AutomaticStep 2: Enable Controlled Folder Access
Protect critical directories from unauthorized modification:
Controlled Folder Access GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access
Settings:
━━━━━━━━━
1. Configure Controlled folder access: Enabled → Block mode
2. Configure protected folders: Add custom paths
- \\fileserver\shares\finance
- \\fileserver\shares\hr
- C:\Users\*\Documents
- C:\Users\*\Desktop
3. Configure allowed applications: Whitelist trusted apps
- C:\Program Files\Microsoft Office\*
- C:\Program Files\Adobe\*
- Line-of-business applications
Default protected folders (automatic):
Documents, Pictures, Videos, Music, Desktop, FavoritesStep 3: Configure Attack Surface Reduction (ASR) Rules
Enable ASR rules that target ransomware delivery mechanisms:
ASR Rules GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction
Critical ASR Rules for Ransomware Prevention:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GUID Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office apps from creating child processes
3B576869-A4EC-4529-8536-B80A7769E899 Block Office apps from creating executable content
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office apps from injecting into processes
D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript/VBScript from launching downloads
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macros
01443614-CD74-433A-B99E-2ECDC07BFC25 Block executable files unless they meet prevalence criteria
Set each rule to: Block (1) or Audit (2) for initial testingStep 4: Restrict Lateral Movement Vectors
Lock down SMB, RDP, and WMI to limit ransomware propagation:
Network Restrictions:
━━━━━━━━━━━━━━━━━━━━
1. Disable SMBv1:
Computer Configuration → Administrative Templates →
Network → Lanman Workstation → Enable insecure guest logons: Disabled
Computer Configuration → Administrative Templates →
MS Security Guide → Configure SMBv1 server: Disabled
2. Restrict Remote Desktop:
Computer Configuration → Administrative Templates →
Windows Components → Remote Desktop Services →
Remote Desktop Session Host → Connections →
Allow users to connect remotely: Disabled (or restricted to specific groups)
3. Disable remote WMI:
Windows Firewall → Inbound Rules →
Block Windows Management Instrumentation (WMI) inbound
4. Disable AutoPlay/AutoRun:
Computer Configuration → Administrative Templates →
Windows Components → AutoPlay Policies →
Turn off AutoPlay: Enabled (All drives)
5. Disable PowerShell remoting for non-admin users:
Computer Configuration → Administrative Templates →
Windows Components → Windows PowerShell →
Turn on Script Execution: Allow only signed scriptsStep 5: Audit and Validate GPO Compliance
Verify that GPO settings are applied correctly across the domain:
# Check GPO application on endpoint
gpresult /r /scope:computer
# Verify AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Check Controlled Folder Access status
Get-MpPreference | Select-Object EnableControlledFolderAccess
# List protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders
# Check ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ActionsVerification
- Run
gpresult /ron test endpoints to confirm GPO application - Attempt to run an executable from
%AppData%\Tempto verify AppLocker blocks it - Modify a file in a protected folder from an unlisted application to confirm CFA blocks it
- Test ASR rules by opening a macro-enabled document and verifying child process blocking
- Validate that legitimate applications in the allowlist still function correctly
- Check Windows Event Log for AppLocker events (Event IDs 8003, 8004) and CFA events (1123, 1124)
Key Concepts
| Term | Definition |
|---|---|
| AppLocker | Windows application control feature that restricts which executables, scripts, and DLLs users can run based on publisher, path, or hash rules |
| Controlled Folder Access | Microsoft Defender feature that prevents untrusted applications from modifying files in protected directories |
| Attack Surface Reduction (ASR) | Set of rules in Microsoft Defender Exploit Guard that block specific attack behaviors like Office macro child processes |
| Software Restriction Policies (SRP) | Legacy Windows feature (deprecated in Win 11) for restricting executables; replaced by AppLocker and WDAC |
| WDAC | Windows Defender Application Control; the successor to AppLocker with stronger enforcement using code integrity policies |
Tools & Systems
- Group Policy Management Console (GPMC): Primary tool for creating and managing GPOs in Active Directory
- AppLocker: Built-in Windows application whitelisting and blacklisting engine
- Microsoft Defender Exploit Guard: Suite including CFA, ASR rules, and Network Protection
- GPResult: Command-line tool for verifying GPO application status on endpoints
- PowerShell Get-MpPreference: Cmdlet for querying Microsoft Defender configuration including ASR and CFA status
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md3.9 KB
API Reference: Anti-Ransomware Group Policy
AppLocker PowerShell Cmdlets
Get Effective Policy
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollectionsCreate AppLocker Rule
# Deny executables from AppData paths
New-AppLockerPolicy -RuleType Path -RuleNamePrefix "DenyAppData" `
-Path "%USERPROFILE%\AppData\*" -Action Deny -User EveryoneTest AppLocker Policy
Test-AppLockerPolicy -Path "C:\Users\test\AppData\Local\Temp\malware.exe" `
-XmlPolicy (Get-AppLockerPolicy -Effective -Xml)AppLocker Event Log IDs
| Event ID | Log | Description |
|---|---|---|
| 8003 | AppLocker/EXE | Allowed executable |
| 8004 | AppLocker/EXE | Blocked executable |
| 8005 | AppLocker/Script | Allowed script |
| 8006 | AppLocker/Script | Blocked script |
| 8007 | AppLocker/MSI | Allowed installer |
| 8008 | AppLocker/MSI | Blocked installer |
Controlled Folder Access (CFA)
Enable CFA
Set-MpPreference -EnableControlledFolderAccess EnabledCFA Modes
| Value | Mode | Description |
|---|---|---|
| 0 | Disabled | No protection |
| 1 | Enabled | Block unauthorized modifications |
| 2 | Audit | Log but do not block |
| 6 | BlockDiskModificationOnly | Block disk-level changes only |
Add Protected Folders
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Finance"Add Allowed Applications
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\app.exe"CFA Event IDs
| Event ID | Log | Description |
|---|---|---|
| 1123 | Defender/Operational | Blocked file modification |
| 1124 | Defender/Operational | Audited file modification |
Attack Surface Reduction (ASR) Rules
Enable ASR Rule
Add-MpPreference -AttackSurfaceReductionRules_Ids <GUID> `
-AttackSurfaceReductionRules_Actions EnabledASR Rule Actions
| Value | Action |
|---|---|
| 0 | Disabled |
| 1 | Block |
| 2 | Audit |
| 6 | Warn |
Key Anti-Ransomware ASR Rule GUIDs
| GUID | Rule |
|---|---|
| BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Block executable content from email |
| D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Block Office child processes |
| 3B576869-A4EC-4529-8536-B80A7769E899 | Block Office executable content creation |
| 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Block Office code injection |
| D3E037E1-3EB8-44C8-A917-57927947596D | Block JS/VBS downloaded executables |
| 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Block obfuscated scripts |
| 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Block Win32 API from Office macros |
ASR Event IDs
| Event ID | Log | Description |
|---|---|---|
| 1121 | Defender/Operational | ASR rule fired in block mode |
| 1122 | Defender/Operational | ASR rule fired in audit mode |
GPO Paths Reference
AppLocker
Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLockerControlled Folder Access
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder AccessAttack Surface Reduction
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface ReductionNetwork Restrictions
Computer Configuration → Administrative Templates →
Network → Lanman Workstation (SMB settings)
Windows Components → Remote Desktop Services (RDP settings)
Windows Components → AutoPlay Policies (AutoPlay/AutoRun)GPResult Verification
# Check applied GPOs
gpresult /r /scope:computer
# Generate HTML report
gpresult /h gpo_report.html
# Check specific policy RSoP
gpresult /z /scope:computerScripts 1
agent.py12.0 KB
#!/usr/bin/env python3
"""Anti-ransomware Group Policy audit and configuration agent.
Audits Windows endpoints for GPO-based ransomware defenses including AppLocker
rules, Controlled Folder Access, Attack Surface Reduction rules, and network
restriction settings. Generates compliance reports against recommended baselines.
"""
import json
import os
import subprocess
import sys
from datetime import datetime
APPLOCKER_DENY_PATHS = [
"%USERPROFILE%\\AppData\\Local\\Temp\\*",
"%USERPROFILE%\\AppData\\Roaming\\*",
"%USERPROFILE%\\Downloads\\*",
"%TEMP%\\*",
"%USERPROFILE%\\Desktop\\*",
]
ASR_RULES = {
"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550": {
"name": "Block executable content from email client and webmail",
"recommended": "Block",
"category": "Email protection",
},
"D4F940AB-401B-4EFC-AADC-AD5F3C50688A": {
"name": "Block all Office applications from creating child processes",
"recommended": "Block",
"category": "Office protection",
},
"3B576869-A4EC-4529-8536-B80A7769E899": {
"name": "Block Office applications from creating executable content",
"recommended": "Block",
"category": "Office protection",
},
"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84": {
"name": "Block Office applications from injecting code into other processes",
"recommended": "Block",
"category": "Office protection",
},
"D3E037E1-3EB8-44C8-A917-57927947596D": {
"name": "Block JavaScript or VBScript from launching downloaded executable content",
"recommended": "Block",
"category": "Script protection",
},
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC": {
"name": "Block execution of potentially obfuscated scripts",
"recommended": "Block",
"category": "Script protection",
},
"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B": {
"name": "Block Win32 API calls from Office macros",
"recommended": "Block",
"category": "Macro protection",
},
"01443614-CD74-433A-B99E-2ECDC07BFC25": {
"name": "Block executable files from running unless they meet a prevalence, age, or trusted list criterion",
"recommended": "Block",
"category": "Execution protection",
},
}
CFA_RECOMMENDED_FOLDERS = [
"Documents", "Desktop", "Pictures", "Videos", "Music", "Favorites",
]
GPO_CHECKS = {
"applocker_enabled": {
"description": "AppLocker Application Control is enabled",
"check_command": ["powershell", "-Command",
"Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue | "
"ConvertTo-Json -Depth 3"],
"priority": "Critical",
},
"cfa_enabled": {
"description": "Controlled Folder Access is enabled",
"check_command": ["powershell", "-Command",
"(Get-MpPreference).EnableControlledFolderAccess"],
"priority": "Critical",
},
"asr_rules": {
"description": "Attack Surface Reduction rules are configured",
"check_command": ["powershell", "-Command",
"(Get-MpPreference).AttackSurfaceReductionRules_Ids"],
"priority": "High",
},
"asr_actions": {
"description": "ASR rule actions (0=Disabled,1=Block,2=Audit,6=Warn)",
"check_command": ["powershell", "-Command",
"(Get-MpPreference).AttackSurfaceReductionRules_Actions"],
"priority": "High",
},
"smbv1_disabled": {
"description": "SMBv1 protocol is disabled",
"check_command": ["powershell", "-Command",
"(Get-SmbServerConfiguration).EnableSMB1Protocol"],
"priority": "Critical",
},
"autoplay_disabled": {
"description": "AutoPlay is disabled",
"check_command": ["powershell", "-Command",
"Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows"
"\\CurrentVersion\\Policies\\Explorer' -Name NoDriveTypeAutoRun "
"-ErrorAction SilentlyContinue | Select-Object -ExpandProperty NoDriveTypeAutoRun"],
"priority": "Medium",
},
}
def run_check(check_name, check_info):
"""Run a single GPO compliance check."""
result = {
"check": check_name,
"description": check_info["description"],
"priority": check_info["priority"],
"status": "unknown",
"output": "",
}
try:
proc = subprocess.run(
check_info["check_command"],
capture_output=True, text=True, timeout=30,
)
output = proc.stdout.strip()
result["output"] = output
result["return_code"] = proc.returncode
if proc.returncode != 0:
result["status"] = "error"
result["error"] = proc.stderr.strip()
elif output:
result["status"] = "data_retrieved"
else:
result["status"] = "empty_response"
except FileNotFoundError:
result["status"] = "not_available"
result["error"] = "PowerShell not found or command not available"
except subprocess.TimeoutExpired:
result["status"] = "timeout"
result["error"] = "Check timed out after 30 seconds"
return result
def assess_asr_compliance(asr_ids_output, asr_actions_output):
"""Assess ASR rule compliance against recommended baseline."""
active_ids = [line.strip() for line in asr_ids_output.split("\n") if line.strip()]
active_actions = [line.strip() for line in asr_actions_output.split("\n") if line.strip()]
assessment = {"total_recommended": len(ASR_RULES), "enabled": 0,
"blocking": 0, "audit_only": 0, "missing": [], "details": []}
id_action_map = {}
for i, rule_id in enumerate(active_ids):
action = active_actions[i] if i < len(active_actions) else "0"
id_action_map[rule_id.upper()] = action
for rule_id, rule_info in ASR_RULES.items():
action = id_action_map.get(rule_id.upper(), None)
if action is None:
assessment["missing"].append({"id": rule_id, "name": rule_info["name"]})
status = "NOT CONFIGURED"
elif action == "1":
assessment["enabled"] += 1
assessment["blocking"] += 1
status = "BLOCK"
elif action == "2":
assessment["enabled"] += 1
assessment["audit_only"] += 1
status = "AUDIT"
elif action == "6":
assessment["enabled"] += 1
status = "WARN"
else:
status = "DISABLED"
assessment["details"].append({
"id": rule_id,
"name": rule_info["name"],
"category": rule_info["category"],
"status": status,
"recommended": rule_info["recommended"],
})
assessment["compliance_pct"] = round(
(assessment["blocking"] / assessment["total_recommended"]) * 100, 1
)
return assessment
def generate_gpo_report():
"""Generate a full GPO anti-ransomware compliance report."""
report = {
"title": "Anti-Ransomware Group Policy Compliance Report",
"generated": datetime.now().isoformat(),
"hostname": os.environ.get("COMPUTERNAME", "unknown"),
"checks": {},
"overall_score": 0,
}
print("[*] Running GPO compliance checks...")
for check_name, check_info in GPO_CHECKS.items():
print(f" Checking: {check_info['description']}...")
result = run_check(check_name, check_info)
report["checks"][check_name] = result
# ASR compliance assessment
asr_ids = report["checks"].get("asr_rules", {}).get("output", "")
asr_actions = report["checks"].get("asr_actions", {}).get("output", "")
if asr_ids:
report["asr_assessment"] = assess_asr_compliance(asr_ids, asr_actions)
# Calculate overall score
score = 0
total = len(GPO_CHECKS)
for check_name, result in report["checks"].items():
if result["status"] == "data_retrieved" and result.get("output"):
score += 1
report["overall_score"] = round((score / total) * 100, 1)
return report
def generate_remediation_script(report):
"""Generate PowerShell remediation commands for failed checks."""
lines = [
"# Anti-Ransomware GPO Remediation Script",
"# Generated: " + datetime.now().isoformat(),
"# Run as Administrator in elevated PowerShell",
"",
]
cfa = report.get("checks", {}).get("cfa_enabled", {})
if cfa.get("output", "").strip() != "1":
lines.append("# Enable Controlled Folder Access")
lines.append("Set-MpPreference -EnableControlledFolderAccess Enabled")
lines.append("")
smbv1 = report.get("checks", {}).get("smbv1_disabled", {})
if smbv1.get("output", "").strip().lower() == "true":
lines.append("# Disable SMBv1")
lines.append("Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force")
lines.append("")
asr = report.get("asr_assessment", {})
for rule in asr.get("details", []):
if rule["status"] in ("NOT CONFIGURED", "DISABLED", "AUDIT"):
lines.append(f"# Enable ASR rule: {rule['name']}")
lines.append(f"Add-MpPreference -AttackSurfaceReductionRules_Ids {rule['id']} "
f"-AttackSurfaceReductionRules_Actions Enabled")
lines.append("")
lines.append("# Disable AutoPlay")
lines.append('Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion'
'\\Policies\\Explorer" -Name NoDriveTypeAutoRun -Value 255')
return "\n".join(lines)
if __name__ == "__main__":
print("=" * 60)
print("Anti-Ransomware Group Policy Audit Agent")
print("AppLocker, CFA, ASR rules, network restrictions")
print("=" * 60)
if len(sys.argv) < 2:
print("\nUsage:")
print(" python agent.py audit Run full GPO compliance audit")
print(" python agent.py asr Check ASR rule status only")
print(" python agent.py remediate Generate remediation script")
print(" python agent.py baseline Show recommended baseline")
sys.exit(0)
command = sys.argv[1]
if command == "audit":
report = generate_gpo_report()
print(f"\n--- GPO Compliance Report ---")
print(f" Hostname: {report['hostname']}")
print(f" Overall Score: {report['overall_score']}%")
for name, result in report["checks"].items():
status = result["status"]
icon = "[+]" if status == "data_retrieved" else "[!]"
print(f" {icon} {result['description']}: {status}")
output_file = "gpo_audit_report.json"
with open(output_file, "w") as f:
json.dump(report, f, indent=2)
print(f"\n[+] Full report saved to: {output_file}")
elif command == "asr":
print("\n--- Recommended ASR Rules for Ransomware Prevention ---")
for rule_id, rule in ASR_RULES.items():
print(f" [{rule['category']:20s}] {rule['name']}")
print(f" GUID: {rule_id}")
print(f" Recommended: {rule['recommended']}")
elif command == "remediate":
report = generate_gpo_report()
script = generate_remediation_script(report)
output_file = "remediate_ransomware_gpo.ps1"
with open(output_file, "w") as f:
f.write(script)
print(f"\n[+] Remediation script saved to: {output_file}")
print(f"\n{script}")
elif command == "baseline":
print("\n--- Recommended Anti-Ransomware GPO Baseline ---")
print("\nAppLocker Deny Paths:")
for path in APPLOCKER_DENY_PATHS:
print(f" DENY: {path}")
print(f"\nASR Rules ({len(ASR_RULES)} recommended):")
for rule_id, rule in ASR_RULES.items():
print(f" {rule_id}: {rule['name']}")
print(f"\nControlled Folder Access Protected Folders:")
for folder in CFA_RECOMMENDED_FOLDERS:
print(f" {folder}")
else:
print(f"[!] Unknown command: {command}")