Carbon Black App Control is shipped with a series of disabled sample registry rules. You can examine the rules to see whether you might want to enable them, or to consider using them as templates that you modify to accomplish exactly what you want for your own registry protection.
Example: Report Changes to Internet Explorer Trusted Zone
The example here starts with fields from the sample rule “[Sample] Report Changes to Trusted Zones,” which is included in the console but disabled by default. This rule reports changes to the sites or IP addresses in the Internet Explorer Trusted Zone on machines running the Carbon Black App Control Agent. Because you may give higher privileges to sites in the trusted zone, any changes to that zone could be a security risk.
To begin the process, go to the Registry tab and then click the View Details button next to the [Sample] Report Changes to Trusted Zones rule.
As the description says, this rule generates an Carbon Black App Control event whenever a registry change is made that will change the sites or IP addresses in the Internet Explorer Trusted Zone. The fields are:
- Write Action: Report – This indicates that the rule only reports changes matching the rule – it does not block an action or allow an action that would otherwise be blocked. If you wanted to create a more restrictive rule, you could change this to Prompt, in which case each user on a computer running the Carbon Black App Control Agent would have the opportunity to block or allow Registry changes matching the rule. Or you could Block any changes matching the rule.
-
Registry Path:
*\software\microsoft\windows\currentversion\internet settings\zonemap\domains\*
*\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\*
This rule includes two paths. Because the paths starts with *\, any attempt to write to them, whether it starts with HKCU, HKLM, or another allowed prefix, will match the rule. Because the paths end with a slash and asterisk, keys and values at and below domains and ranges (respectively) will match the rule.
- Process: Any Process – Any process attempting registry writes that match the other fields activates the rule.
- User or Group: Any User – Any user attempting registry writes that match the other fields activates the rule.
- Rule applies to: All policies – All policies, and therefore all Windows computers running the Carbon Black App Control Agent, are subject to this rule.
If you enable this rule, registry write attempts matching the rule appear on the Events page. You can search for them by clicking the Show Filters button on the Events page and creating a filter for “Subtype is Report write (registry rule)”. When you find an event report matching this rule, you might respond in one of several different ways:
- If the change is undesirable, undo the change (outside of Carbon Black App Control) and create a new rule preventing that change from happening again (rather than just reporting it). Use wildcards or multiple paths to make the rule as narrow or broad as necessary.
- Allow the change if you consider it benign or desirable.
- Use the file information on the Carbon Black App Control Server to obtain information about the process that has attempted the modification.
Autostart Rules
The table of Registry Rules for this release includes an Autostart Rules rule that is actually a collection of rules. It is disabled by default. When activated, this rule set reports and optionally blocks attempts to modify registry locations that control what happens when you startup a computer.
For example, one of the many paths covered by the Autostart Rules is HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
If you want to test the impact of this set of rules before making it active, you can select Report from the Write Action drop-down menu for the rule. Then, after some time has elapsed, you can go to the Events page and filter for Rule name contains Autostart to see what events have been triggered by this rule set. If you determine that activating the rule will not interfere with your operations, you can change the Write Action value to Block (or Prompt).
On the Edit Registry Rule page for Autostart Rules, the Registry Path is shown as <AutostartRules>. This macro refers to the current list of locations controlled by this rule. The list is maintained within the Carbon Black App Control Server and not enumerated in the rule definition. It is expected to be updated and expanded with future releases. If you need more detail about specific locations affected by this rule in your version, please contact Carbon Black Support.