US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • Managing Rules

Managing Blocker Rules

Learn how to effectively manage and navigate Blocker, ensuring smooth operation with improved security.

Written by Daniel Rivera

Updated at October 24th, 2024

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents Password Boss WebApp
  • Changelogs for Autoelevate and Password Boss
  • Current Status
+ More

Table of Contents

How does AutoElevate choose which processes are included in our block list? Quick Start Enable with Script Deployment Blocker Modes Defined Creating Block Rules Manually Creating Allow Rules Using Process and Parent Process Identification Criteria Combinations Process Identification Criteria Publisher Identification Criteria Where do we get the Publisher Identification Info? Note Security Note

AutoElevate's Blocker feature gives you the ability to block 200+ native Windows applications, binaries, and .dll files that are typically used as Living off the Land (LOTL) attack vectors. Fileless malware, malware-free, or Living Off The Land refer to cyberattack techniques where the cybercriminal uses native, legitimate tools within the victim’s system to sustain and advance an attack.

How does AutoElevate choose which processes are included in our block list?

We rely primarily on sources like Microsoft, community projects (such as the LOLBAS project), and our own research to keep the product to date. 

Blocker is narrowly focused on “malware-free” aka “Living off the Land” attacks. These tend to exploit known applications and tools that have been in Windows for a very long time - a subset of which have been deprecated and only remain there for backwards compatibility.

 

 

This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11. Your agents must be on v2.8+ for this feature to be available.

 

Quick Start

  • From the Computers screen select the computer(s) you are wanting to enable by clicking the square next to the listed computer name.
     
  • Click on the Actions menu at the top of the screen, and then Set to Audit under the Blocker Mode section. 
     
  • Once enabled, we recommend keeping it in Audit mode for approximately 1 month or more to allow the agent to collect and analyze data and provide recommended rules.
     
  • Real-time recommended block rules can be found under the Blocker Recommendations screen of the portal. You have the option to VIEW APPLICATIONS for more information and ADD BLOCK RULES to automatically add the recommended rules.
     
  • Once sufficient times has passed and the desired block rules have been created return to the Computers screen, select the computer(s), click on the Actions menu, and then Set to Live under the Blocker Mode section. 
     

Enable with Script Deployment

Blocker can be enabled to a specific mode at script deployment by modifying the argument below. We recommend setting to Audit mode for immediate data collection and analysis.

BLOCKER_MODE="audit" (optional) – This can be set to live, audit, or disabled so that the Agent installer can override the current mode or be set to install in the mode of your choice automatically. Disabled mode is the default if this argument is not specified. If the script is performing an upgrade on an agent already installed, not specifying this argument will maintain the agent mode that is currently set.

These mode options are case-sensitive and should be in lowercase; otherwise, this command part will fail, and the agent will default to disabled mode. 

Generic RMM Deployment using PowerShell commands

 

 

Blocker Modes Defined

  • Disabled - The Agent's filter driver is not installed or is uninstalled if previously installed. As a result no Windows process is monitored in this state and no existing Blocker Rule is applied. Since Blocker is disabled there is no change in the user experience.
     
  • Audit - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent does not apply any defined Blocker Rules and, therefore, there is no change in the user experience. 
     
  • Live - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent blocks or allows Windows processes based on any defined Blocker Rules.

 

Creating Block Rules Manually

  • Select the "+" icon from the Blocker Rules screen at the top of the page. 
     
  • Select the check box next to the Process Name for which you want to add a rule. For more information, you can click on the source link next to the Process Name that contains the recommendation on why you should block that process. 
     
  • From the Actions menu at the top, select Add Rule, choose Level, Location, and Computer as necessary, and then OK to confirm.
Your browser does not support HTML5 video.

 

Creating Allow Rules

  • From the Blocker Events screen, please select the event you want to convert into an allow rule by checking the box next to its name.
     
  • Click on the Actions menu at the top of the screen and select Convert To Rule. 

 

Your browser does not support HTML5 video.

 

 

Using Process and Parent Process Identification Criteria Combinations

Allow rules can be set up to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to match. If a match is found when an event takes place, the AutoElevate Agent then carries out the defined action of Allowed. For the Rule to be applied to an event, it must match ALL of the selected identification criteria. 

 

Process Identification Criteria

Process Identification Criteria can be selected in any combination of 4 options: File Name, File Path, Parent File Name, MD5/SHA256 Hashes. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can specify dynamic elements (* ? [a-z]).

  • File Name: The file name extracted from the path.
     
  • File Path: The full path of the file's location on the local machine, including the file's name. The agent will expand any Windows environment variables when processing the File Path. Click HERE for more information on Windows env vars.
    • Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
       
  • Parent File Name: The parent file name extracted from the path.
     
  • MD5/SHA256 Hashes: The MD5/SHA256 hashes of the parent file.
     

Publisher Identification Criteria

Publisher Identification Criteria can be set to 1 of 2 options: Subject Elements or Certificate Hash.

  • Subject Elements: These are the different parts of the Subject distinguished name found in the publisher certificate. Any combination of elements can be selected. However, it's good to note that each software publisher can use many certificates. Targeting fewer subject elements will allow for a wider range of software matching the identification criteria selected.
     
  • Certificate Hash: This is the thumbprint of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means publishers need to get new certificates with new thumbprints frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued. 
     

Where do we get the Publisher Identification Info?

You will see an expandable section of information about the publisher certificate along with the publisher options. This data is generated from the file examined on the local machine that the Event originated from.

Whether the file is marked as Verified or not depends on whether the certificate chain on the local machine was verified. Verified certs are where the certificate and/or its issuer are in the local certificate authority (CA) on the local machine and whether the Signing Time falls between the Valid From to Valid To time stamps.

 

 

The defined rules are encrypted and stored in a secure registry area at each check-in and will continue to work with or without connectivity to the Internet and/or our services.
 

Note

  • A rule set at the lowest level, i.e. Computers, will take precedence over the rest, where there’s a hierarchy.
     
  • An elevation approval will have an allowed exception to a blocked rule through the parent file. Running a blocked process directly will continue to be blocked even with an elevation approval.
     
  • Blocker is temporarily disabled while Technician Mode is in use.
     
  • Rules can be modified from the pencil icon or deleted from the trashcan icon.
     
  • Rules can also be moved or copied to another level as well as deleted from the Actions menu.
     
  • The Blocker Events screen will only record events triggered by a rule. All blocked events will be logged, while only one allowed event per rule will be recorded per day. To see all events on the local machine, you will need to enable Event Logging.
 

 

 

Security Note

Publisher certificate verification has been built into agent v2.4+ to ensure the safety and security of making rules based on publisher certificate criteria. 

The AutoElevate rules engine does this verification, like most security tools do, using information from the local certificate authority store (CA) on each machine. Microsoft updates the local certificate authority stores. Security and mitigation of threats to the local certificate store on each machine strongly depend upon users only having standard user privileges.

 

 

rule management blocker rules

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • VirusTotal Integration Enhancements
  • UAC Levels & Windows User Account Control Settings
  • Firewall Whitelisting
  • SSO with Entra AD
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand