File Attack Whitelisting

Introduction

To simulate file-based malware attacks with Microsoft Defender, you need to configure Active Directory (AD) Group Policy Object (GPO) settings to exclude specific files from being scanned. This guide provides step-by-step instructions for whitelisting files by path using GPOs.

Important Considerations

Whitelisting Lucy IP:

• Ensure that Lucy's IP is whitelisted at the mail gateway level to guarantee email delivery.

• Refer to the following links for detailed instructions:

Additional Security Measures:

• This guide covers GPO settings for AD. If your organization uses additional antivirus software or firewall protection, equivalent whitelisting must be configured accordingly.

Macro-Related Attacks:

• For macro-related attacks, users will still need to enable editing and macros in Office documents. Design the attack scenario to prompt users to perform these actions.

Scenario Example

Scenario:

• Successful Attack = Data Submit / File Data Received

• Attack Vector: Mixed Attack (Harvest credentials via user login on a web-hosted page + download and execute payload).

Idea:

• The user receives an email from the CEO with a link to a list of top clients.

• The user logs in to a landing page, completing phase 1 (credential harvesting).

• The user downloads an Excel file, which is excluded from virus scanning.

• Upon opening the file and enabling editing and macros, the script runs, completing phase 2 (data submission).

Below is the process for adding a file to the exclusion list at the machine level:

1. Open Windows Security:

   • Go to Start -> Settings -> Update & Security -> Windows Security -> Virus & Threat Protection.

Add Exclusion:

• Under Virus & Threat Protection settings, select Manage Settings.

• Scroll down to Exclusions and select Add or Remove Exclusions.

• Click Add an Exclusion and choose File.

• Select the file to be excluded.

This workflow demonstrates the process at an individual level, but for organizational-scale implementation, the Network Administrator will perform these steps via AD GPO.

Excluding a File Path in Active Directory via GPO:

Open Group Policy Management:

• Navigate to Tools -> Group Policy Management.

Create or Edit a GPO:

• Select the domain associated with the end users.

• Right-click on the policy and select Edit.

Navigate to Windows Defender Settings:

• Go to Policies > Administrative Templates.

• Click on Windows Components.

• Scroll down to Microsoft Defender Antivirus.

• Click on Exclusions.

Define Path Exclusion:

• Select Path Exclusions.

• Click Enable and then Show.

• Enter the file path, e.g., C:\Users\local.user\Downloads\List of Top clients V2.xls.

• Set the value to 0.

• Click OK and Apply.

Enforce the Policy:

• Right-click on the policy in Group Policy Management and select Enforce.

• Run gpupdate /force to update the policy for all users.

Enabling Editing and Content in Excel:

Enable Editing:

• When the file is opened, click Enable Editing.

Enable Content:

• Click Enable Content to allow macros to run.

By following these steps, you can ensure that Defender does not block the file download and execution, allowing the simulation to proceed as intended.

References