1

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
• Rule defines a scenario under which an action will be denied.

· Initiator elements define the actor performing the action to be denied.

· Target elements define the intended recipient of the action to be denied.

· Match elements exist within both Initiator and Target elements.

· Match elements define what types of objects that the Initiator and Target are.

· Match Type (In/Exclude) elements exist within Match elements.

· Match Type (In/Exclude) elements define specific attributes of the object
that the Match element is for.
· Objects that do not match any of the Match Type elements will not
be subject to the Match.

• Plainspeak:
· The collation of the Initiator with its Match and Match Type elements will describe ‘who
would perform the action to be denied?’
· The collation of the Target with its Match and Match Type elements will describe ‘to what
would the action have been applied?’
· Case-sensitivity is important in some fields and not others, so these examples should be
adhered to.
· Consult the Expert Rules Product Guide to determine which fields are case-
sensitive.

44
• Initiator:
· Match PROCESS Controls access to a process handle.
· Match THREAD Controls access to a thread handle.

• Target:
· Match FILE Controls access to a file.
· Match KEY Controls access to both registry keys and value data.
· Match PROCESS Controls access to a process handle.*
· Match SECTION Controls access to section object creation.
· Match THREAD Controls access to a thread handle.
· Match VALUE Controls access to data in a registry value.

* In ENS 10.5.3 if the Target element access to be denied is Create, then SECTION
must be used, not PROCESS.

• Plainspeak:
· Match value PROCESS or THREAD can be used in either or both of the Initiator and Target
elements.
· Other Match values can only be used in Target elements.

45
• Plainspeak:
· Do not confuse Match (defined previously) and Match Type values. Match values are colored
DARK BLUE, Match Type values are colored GOLD.
· There are too many Match Type values (48+) to define here. They are defined in the Expert
Rules Product Guide.
· Match Type values are the criteria used for either Include or Exclude commands.
· Some Match Type values apply only to certain Match values.

46
• These are Match Type elements with their supported shorthand/shortcuts.

• Plainspeak:
· These shortcuts are used frequently in published Expert Rules examples.
· Ambiguity is the enemy because computers are unambiguous.
· Professional Services recommends using full syntax at all times.

47
• The Initiator element can be entirely omitted from the Rule syntax, and such omission will cause
the Rule to use this default Initiator element:

Initiator {
Match PROCESS{
Include OBJECT_NAME {-v "**"}
}
}

· Omission is unfriendly to new Expert Rule users.

· Omission of the Initiator element will cause AAC to evaluate the Rule for every process.
· Collectively many Rules omitting the Initiator element could theoretically become
‘expensive’ in terms of performance.
· Omission should be used only when all processes should be subject to the Rule.
· Explicit use of Include OBJECT_NAME {-v **} within the Initiator element, which is
functionally equivalent to omission, also should be used only when all processes should be subject to
the Rule.

• Plainspeak:
· Ambiguity is the enemy because computers are unambiguous.
· Professional Services recommends using full syntax at all times.

48
• When the Initiator element’s Match element is Match PROCESS, the full syntax Initiator element
below can be abbreviated as above:

Initiator {
Match PROCESS {
Include OBJECT_NAME {-v "cmd.exe"}
}
}

· Abbreviation is unfriendly to new Expert Rule users.

· Abbreviation ‘saves’ only two lines of text.
· Abbreviation destroys the vertical alignment of the Initiator|Match|Include and
Target|Match|Include elements.
· This is visually and logically unappealing.

• Plainspeak:
· Ambiguity is the enemy because computers are unambiguous.
· Professional Services recommends using full syntax at all times.

49
<Simulated Blank Line 1>: NOT OK: The Rule { statement must be the first line.
#Comment Line 2: NOT OK: The Rule { statement must be the first line.
#Comment Line 3: NOT OK: The open brace does not permit a comment afterward.
;#Comment Line 4: OK: The close brace permits a comment accompanied by the TCL new command indicator:
;
#Comment Line 5: OK: A comment can be its own line.
<Simulated Blank Line 6>: OK: A blank line is permitted.
;#Comment Line 7: NOT OK: A separate –v element line permits a trailing comment only without the TCL
new command indicator: ;
#Comment Line 8: OK: A separate –v element line permits a trailing comment.

• The Rule line is the only permitted opening line.

· Opening blank lines may cause the Expert Rule to fail compilation.
· Opening comment lines may cause the Expert Rule to fail compilation.
· The ePO Policy Console may permit an opening blank lines or opening comment lines.
· The ENS Console may not permit an opening blank lines or opening comment lines.

• Any behavior differing from these instructions is a defect targeted for remedy in a later version
of Expert Rules.

50
• The Include OBJECT_NAME element data does not require double-quotes unless the object name contains
one or more spaces:
· Knowledge of when double-quotes are required is unfriendly for new Expert Rules users.
· Attempting to omit double-quotes when not required may lead to omission when
required.

· Omission of double-quotes ‘saves’ no lines.

· Omission of double-quotes destroys the vertical alignment of multiple Include elements.

· This is visually and logically unappealing.
• Plainspeak:
· Unfortunately, some Match Type elements that accept numerals do not use the –v, -l, or
double-quotes (e.g. VTP_TRUST).
· This is already confusing enough for new users without omitting quotes where they
can be specified.
· Ambiguity is the enemy because computers are unambiguous.
· Professional Services recommends using full syntax at all times.

51
• Within a single Match element (regardless of whether the Match element is in the Initiator or
Target), the presence of two or more Include elements applying to identical object attributes (in
this example: OBJECT_NAME) implies a logical OR.

• Plainspeak:
· Both Match Type elements refer to the same attribute of the object, in this case
OBJECT_NAME.
· An object has only one name, so a logical OR is implied and the Rule would match any
Initiator named cmd.exe or my process.exe.

52
• Within a single Match element (regardless of whether the Match element is in the Initiator or
Target), the presence of two or more Include elements applying to different object attributes (in
this example: OBJECT_NAME and -access) implies a logical AND.

• Plainspeak:
· Each Include element refers to different attributes of the object, in this case OBJECT_NAME
and -access.
· A logical AND is implied and the Rule would match any Target with the name
C:\pathname\filename.txt when the action Create is attempted against it.

53
• Within a single Match element (regardless of whether the Match element is in the Initiator or
Target), the presence of two or more Include elements applying to the same object attribute implies a
logical OR while any Include elements applying to different attributes will imply a logical AND.

• Plainspeak:
· This Rule would match any Target named either c:\pathname\filename1.txt or
c:\pathname\filename2.txt when the action Create is attempted against it.

54
• The default AAC syntax variables are:
· ? Indicates a single character (not zero characters, but one) except for the folder
separator (backslash): \
· * Indicates any number of characters (including zero characters) except for the folder
separator (backslash): \
· ** Indicates any number of characters (including zero characters) no matter what they
are.

• Effectively this means that:

· Only ** can stand for a path with multiple subfolders.
· ? and * can stand for characters within a single filename or foldername.

55
• The AAC escape character is the pipe:
· | The escape character indicates that the next character is 'escaped'.
· <the next character> The escaped character will be interpreted literally as part of the
data.

· The | character is legal within Microsoft Windows registry key names, registry value names,
and registry data.
· This necessitates escaping any registry key name, value name, or data string containing |
characters with ||.

• Plainspeak:
· The presence of an 'escape character' in any language indicates that the immediately
subsequent character, whatever it might be, should be interpreted as part of the data string rather
than as anything else the character might mean in the language syntax.

56
• The TCL escape character is the backslash:
· \ The escape character indicates that the next character is 'escaped'.
· <the next character> The escaped character will be interpreted literally as part of the
data.

· The \ character is the folder separator in Microsoft Windows file systems.

· This necessitates escaping any folder separator characters with \\.

• Plainspeak:
· The presence of an 'escape character' in any language indicates that the immediately
subsequent character, whatever it might be, should be interpreted as part of the data string rather
than as anything else the character might mean in the language syntax.

57
• In AAC syntax within 'aacinfo.exe query' output, note that these TCL special characters' final
appearance will be:
· " &quot;
· & &amp;
· ' &apos;
· < &lt;
· > &gt;

• Depending upon the version of ENS it may, or may not, be necessary to escape the underbar
character: _

· It is recommended to escape this character in order not to encounter anomalies across different
versions of ENS enforcing the same Rule.

• Plainspeak:
· A 'special character' is a character that if not escaped in a data string will be translated
into a command or function belonging to the programming language.

· The backslash character in any Match Type data string must be TCL-escaped (\) before any other
TCL special characters are escaped.
· These steps will lead to corruption:
· Action: TCL-escape (\) any or all special characters other than the backslash.
· Result: The backslash is prepended to those special characters.
· Action: TCL-escape (\) the original backslashes.
· Result: All backslashes are prepended with a backslash, including the TCL-escape (\)
backslashes already prepended to the other special characters in the previous step leading to their
doubly-TCL-escaped (\\) corruption.

· These steps are correct:

· Action: TCL-escape (\) the backslash.
· Result: The backslash is prepended to all backslashes.
· Action: TCL-escape (\) all other TCL special characters other than the backslash.
· Result: The backslash is prepended to all TCL special characters other than the

58
backslash, which has already been TCL-escaped (\) in the previous step.

· https://en.wikipedia.org/wiki/Escape_character

58
• Both AAC and TCL have Unicode support and therefore should not require any escaping of Unicode
characters, e.g.:
· ALT+00A9: ©
· ALT+00AE: ®
· ALT+2122: ™

• http://www.fileformat.info/info/unicode/index.htm

59
• The Include/Exclude command –v switch indicates a single value will follow.

60
• The Include/Exclude command –v switch can accept multiple values.
· These values can be carriage-return-linefeed-separated or space-separated.
· If carriage-return-linefeed-separated, a separate –v switch is required per line.
· If space-separated, only the first value receives a –v switch.

• Plainspeak:
· Per earlier examples, each –v element is logically split into its own Include/Exclude
element and a logical OR applies between them.
· There is little line ‘saving’ using the first example’s syntax, though line ‘saving’ exists
using the second example’s syntax at the expense of screen-width.
· The third example is how the first and second are both logically parsed by the rule
compiler.

61
• TCL includes the lappend command to add a data string to a list.
· The list, itself, can be created with the first use of lappend.
· When the TCL code is parsed at runtime by AAC, TCL will invisibly separate each list entry
into a separate –v switch for processing.

• Plainspeak:
· When listOfFiles is provisioned or populated using lappend its name discludes the variable
indicator: $
· When listOfFiles is referred to within subsequent TCL commands its name includes the
variable indicator: $
· This is accurate for both TCL variables and TCL lists.

62
• Using –v and –l switches together is permitted.

63
• The AggregateMatch element allows for separate sub-groups of fine-grained Inclusion/Exclusion sub-
elements.

· The AggregateMatch element can be used in either or both of the Initiator and Target
sections of a Rule.
· Multiple AggregateMatch elements can be used within the same Rule.
· The AggregateMatch element itself can be an Include or Exclude.
· Each AggregateMatch element functions as a separate criteria domain that an event will be
evaluated against.
· Within a particular AggregateMatch element, the same logical AND/OR procedures apply to the
sub-elements.

· NOTE: AggregateMatch elements, themselves, are logical ORed.

· NOTE: AggregateMatch elements cannot be nested.

• Plainspeak:
· In this example, reading any target PE (Portable Executable) file named 'nerffile.exe' will
be prevented anywhere in the file system, unless the target file matches all the criteria in at least
one of the AggregateMatch elements.

· NOTE: In this example the sub-elements within the AggregateMatch Match Type are Include
sub-elements, but ultimately the AggregateMatch Match Types, themselves, are Excludes from the main
Rule logic.

64
65
• Include -access "CREATE": https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-
prevention-product-guide-windows/page/GUID-3224F4C0-8967-4226-A382-759B8197A9CB.html

• Plainspeak:
· The term nerf, or any similar term seldom used in colloquial language, is useful in
research & development in the following manner. As work proceeds on a node and many file system
folders and files, registry keys, values, and data, etc. are created or altered it becomes
increasingly difficult to ‘remember’ what an investigator must revert to reach an earlier state
unless it is uniquely named.

· In order to allow learners to easily detect through searching, and then revert such changes
when necessary, these examples will use the term ‘nerf’ accordingly.

· Examples of utility:
· Renaming a kernel driver to prevent its loading: driver.sys to driver.nerf
· Renaming a Windows PE to prevent its execution: program.exe to
program.nerf
· Renaming a registry value to nullify its applicability: value to nerfValue

66
67
• … lappend listOfFiles …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl15.html

• … -l $listOfFiles …:
https://kc.mcafee.com/corporate/index?page=content&id=PD27574&actp=null&viewlocale=en_US&showDraft=fa
lse&platinum_status=false&locale=en_US (Page 121)

68
• … -type PATH … and … -pfx "c:\\users\\public\\folder?\\" …:
·
https://kc.mcafee.com/corporate/index?page=content&id=PD27574&actp=null&viewlocale=en_US&showDraft=fa
lse&platinum_status=false&locale=en_US (Page 121)

• Plainspeak:

• WARNING: When using the -pfx or -sfx switches, the OBJECT_NAME element must be formatted in the
carriage-return+line-feed syntax. The OBJECT_NAME element cannot use the space-separated syntax.
This is because the -pfx/-sfx switches and the -l switch are not identical. In space-separated
syntax, there can be only one switch type.

· Supported Carriage-Return+Line-Feed Syntax:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

· Unsupported Space-Separated Syntax:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

69
• … -sfx "nerffile?.txt" …:
https://kc.mcafee.com/corporate/index?page=content&id=PD27574&actp=null&viewlocale=en_US&showDraft=fa
lse&platinum_status=false&locale=en_US (Page 121)

• Plainspeak:

• WARNING: When using the -pfx or -sfx switches, the OBJECT_NAME element must be formatted in the
carriage-return+line-feed syntax. The OBJECT_NAME element cannot use the space-separated syntax.
This is because the -pfx/-sfx switches and the -l switch are not identical. In space-separated
syntax, there can be only one switch type.

· Supported Carriage-Return+Line-Feed Syntax:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

· Unsupported Space-Separated Syntax:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

70
• … set myvariable_computername …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl2.html

71
• … iEnv …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-
windows/page/GUID-4F06D3F1-F8C0-438F-88F6-065D89F47C21.html

72
• … iDump …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-
guide-windows/page/GUID-FC59ABD4-9507-4EC7-BAB2-6143298D9372.html

• Plainspeak:
· If ENSTP Exploit Prevention debug logging is enabled, the iDump command populates the ENSTP
ExploitPrevention_Debug.log only during Rule compilation, not during Rule triggering.
· Rule compilation can occur not only because of the Rule's first authorship, but also when
policy is changed, etc.
· It is easiest to watch the ENSTP ExploitPrevention_Debug.log when the Rule is first checked
using the ENS Console.
· To research variable values it may be necessary to either resubmit the Rule for compilation
to provoke log population, alter policy, or to research the log file for the timestamp of Rule
compilation.

73
• … iSystem os_arch …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-
product-guide-windows/page/GUID-FE60B5DA-29C5-4B7B-A2A9-6F1435E88B00.html

• … if…else …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl7.html

74
• … iTerminate …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-
guide-windows/page/GUID-B96C12E3-6DB8-486D-9D5C-CFF0C477B7C1.html

• Plainspeak:
· If a rule contains iTerminate then a counterintuitive procedure can occur.
· The Rule processor, upon receipt of the Rule syntax, evaluates the Rule against the
local node.
· If an iTerminate command is present when the Rule check is conducted, and the code
path of the Rule when applied to the local node would arrive at the iTerminate command:
· Expect the Rule to be marked as invalid in the ENS Console Check function
even though syntax may be correct.
· Appropriate messaging regarding the 'error' is logged.
· The Rule is dropped entirely from the node's AAC Rule list.
· aacinfo.exe query output can be observed not to contain the Rule
at all.

· For this Rule, or any other Rule being checked when iTerminate is executed:
· If the Rule is created using the local ENS Console,
· And the syntax Check button is used,
· And the operating system architecture is x86,
· Then the Rule will fail compilation per the above.

· The Rule is valid.

· The Rule processor is executing the operating system architecture check, finding
x86, and arriving at iTerminate.
· Check the Rule syntax using a variant of the Rule that will not arrive at
iTerminate, such as:
· 'Comment out' iTerminate.
· Check the Rule.
· 'Uncomment' iTerminate.
· Enforce the Rule.

· If the Rule does not ultimately apply to the local node after the Enforce action,
do not expect the Rule to exist on the local node.

75
 · Alternatively, to avoid this 'annoyance', the Rule could be authored using ePO policy,
although when parsed by the local node the result will still be the appropriate 'error' messaging and
lack of Rule applicability.

· Professional Services has reported this behavior.

· This behavior is most likely as-designed due to the way the Rules are parsed.
· The likely objective is to eliminate as much unnecessary code as possible with this
outcome as an artifact of that objective.

75
• … iReg …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-
windows/page/GUID-9484D509-3171-47DB-9716-647D2B99AA9C.html

76
• … iUser list …: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-
guide-windows/page/GUID-5298ABD4-D38D-4C7D-AD7F-A4D9180EE5EE.html

• Plainspeak:
· In this simplistic example Rule there is an implicit assumption that the user profile
folder is named for the username that iUser will return.
· Not all user profile folders match the username for reasons of:
· Name changes (e.g. marriage, divorce).
· Deliberate obfuscation.
· Representation of the username from the source AAC is instructed by the Rule to
read the username from is not a match to the user profile folder for that account.
· Some profiles, such as some local built-in accounts, are read from APIs that
produce the following results:
· User 'Default': DefaultAccount
· User 'NT AUTHORITY\LOCAL SERVICE': {LOCAL SERVICE}
· User 'NT AUTHORITY\NETWORK SERVICE': {NETWORK SERVICE}
· User 'NT AUTHORITY\SYSTEM': SYSTEM
...etc.

· This Rule would place these user profile folders in the following incorrect
locations (when %SYSTEMDRIVE% is 'C:\'):
· User 'Default': C:\Users\DefaultAccount
· User ‘NT AUTHORITY\LOCAL SERVICE': C:\Users\{LOCAL SERVICE}
· User 'NT AUTHORITY\NETWORK SERVICE': C:\Users\{NETWORK SERVICE}
· User 'NT AUTHORITY\SYSTEM': C:\Users\SYSTEM
...etc.

· The actual locations for these user profiles are (when %SYSTEMDRIVE% is 'C:\'):
· User 'Default': C:\Users\Default
· User 'NT AUTHORITY\LOCAL SERVICE':
C:\Windows\ServiceProfiles\LocalService
· User 'NT AUTHORITY\NETWORK SERVICE':
C:\Windows\ServiceProfiles\NetworkService
· User 'NT AUTHORITY\SYSTEM':

77
 C:\Windows\System32\Config\SystemProfile
...etc.

· Always validate that the result of Rule code matches the intended result.
· This Rule will only properly guard folders for queried user accounts:
· Whose user profile folder is precisely named for the username.
· That exists in 'C:\Users‘

• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the
parser where if the –pfx or –sfx switches are on the same line as the rest of the command then the
command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command
functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

77
• … for {start} {test} {next} {body} …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl10.html

• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the
parser where if the –pfx or –sfx switches are on the same line as the rest of the command then the
command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command
functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

78
• … [llength $var_userlist] …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl14.html

• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the
parser where if the –pfx or –sfx switches are on the same line as the rest of the command then the
command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command
functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

79
• … [lindex $var_userlist $x] …: https://www.tcl.tk/man/tcl8.5/tutorial/Tcl14.html

• … append var_username "\\nerffolder\\nerffile.txt" …:

https://www.tcl.tk/man/tcl8.5/TclCmd/append.htm

• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the
parser where if the –pfx or –sfx switches are on the same line as the rest of the command then the
command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command
functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

80
• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the parser where if the –pfx
or –sfx switches are on the same line as the rest of the command then the command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

81
• WARNING: There is an anomaly with the –pfx and –sfx switches. There is currently a defect in the parser where if the –pfx
or –sfx switches are on the same line as the rest of the command then the command will not function:

Include OBJECT_NAME -type PATH {-pfx "c:\\users\\public\\nerffolder\\" -l $listOfFiles}

When the –pfx or –sfx switches are on separate lines from the rest of the command then the command functions:

Include OBJECT_NAME -type PATH {

-pfx "c:\\users\\public\\nerffolder\\"
-l $listOfFiles
}

This will be remedied in a future build of ENS.

82
83
84
85
86
87
88
• Plainspeak:
· The registry is a database that contains three types of objects: containers, leaf nodes,
and data
· Containers are called: registry keys: e.g.: HKLM\Software\MyApplication
· Leaf Nodes are called: registry values: e.g.: REG_SZ "Installation Folder"
· Data are called: registry data: e.g.: "C:\Program Files\My Application“

· It is improper, though common, for everything in the registry to be referred to as 'keys'.

· This is categorically incorrect and clouds understanding of the registry.
· Containers may contain other containers or leaf nodes, whereas leaf nodes may only
contain data.
· Proper understanding clarifies the scope of the Match KEY element.

89
• Plainspeak:
· No switches for -type other than -type PATH are defined in documentation at this time.
· There will be several -type switches used in this Learner's Course and their purposes are
self-evident.
· Professional Services has reported this documentation omission.

90
• Plainspeak:
· Of the two 'competing' Match VALUE elements, only one will be 'chosen' to apply.
· The Exclude element will always be favored and override the Include element, even in this
seemingly counterintuitive order of two Match VALUE elements covering the 'same' material.
· Note that the value {-v 101 105} is a range from 101 to 105 including 101, 102, 103, 104,
and 105.
· It is not solely the numbers 101 and 105.

91
• Plainspeak:
· The REG_BINARY registry value type displays and accepts hexadecimal-encoded binary rather
than 'straight-up' binary:
· The binary behind fe340ead9 is too difficult for human feasibility and therefore easily
corrupted: 111111100011010000001110101011011001
· Humans think and act in decimal, a base-10 number system, because most humans have ten
fingers and used them to learn counting.
· Hexadecimal is a Base-16 number system, and the 'letters' a-f are used to denote the
decimal quantities 10-15.
· In hexadecimal the a-f characters are not 'letters', they are numbers.
· Binary is a Base-2 number system (1 bit = 2 quantities = decimal 0-1)
· The hexadecimal-encoding of binary involves dividing the binary string into four bit
chunks, called nibbles.
· Four bits are required to construct each hexadecimal number (24 bits = 16
quantities = decimal 0-15 = hexadecimal 0-f).
· 0xfe340ead (0x denotes hexadecimal) is: 1111(0xf) 1110(0xe) 0011(0x3) 0100(0x4) 0000(0x0)
1110(0xe) 1010(0xa) 1101(0xd) 1001(0x9)

92
93
• Plainspeak:
· The REG_EXPAND_SZ registry value type is a single string optionally containing environment
variables.
· The purpose of this registry value type is to allow an object reading the registry value to
replace (expand) the environment variable referenced in the registry value with its actual content,
and in the context of a particular user account:
· User Alara: %USERPROFILE%: C:\Users\Alara
· User Bortus: %USERPROFILE%: C:\Users\Bortus
· User Claire: %USERPROFILE%: C:\Users\Claire

· The ^ character (caret) is the escape character used by the program cmd.exe.
· In cmd.exe, typing the % character in a cmd.exe command will normally cause cmd.exe to
replace any text enclosed within % characters with the content of the like-named environment
variable.

· The trigger commands use cmd.exe to invoke reg.exe with several % characters intended to be
part of the reg.exe command's data.
· ^ characters (carets) must be emplaced before each % character in ^%USERPROFILE^% and
^%PROGRAMFILES(X86)^% to prevent cmd.exe from perceiving the % characters as environment variables
that cmd.exe must parse, itself, before invoking reg.exe.

94
• Plainspeak:
· The Exclude element will always be favored and override the Include element.

95
• Plainspeak:
· The USER_NAME Match Type is not defined in documentation at this time.
· Under the hood AAC first resolves the specified user name to its SID and then invokes the
USER_SID Match Type.
· Professional Services has reported this documentation omission.

96
97
98
99
100
• Plainspeak:
· The ! character (bang) in many languages means 'not equal to'.
· That is not the meaning of the bang character in this element.
· If it were the meaning in this element then this particular Include command would be
counterproductive by including all except hidden files.
· Here are the characteristics of the syntax:

· (blank, no symbol): The bit is only a MATCH bit

· + (plus): The bit is only a REQUIRED bit
· ! (bang): The bit is both a REQUIRED and a MATCH bit
· !* (bang asterisk): All bits are both REQUIRED and MATCH bits

· A MATCH bit is parsed as a logical OR.

· A REQUIRED bit is parsed as a logical AND.

101
102
• Plainspeak:
· Variations on this Rule could be used to almost-completely, or even completely, eliminate
network-based access of the local file system in a scenario requiring such blockage.
· There could be complications when certain local software suites deliberately use the
network redirector in order to access local file system resources (e.g. see the 'This should fail'
trigger), but this should be detectable through testing and could be excluded using fine-grained
Exclude elements within the Target element.

103
• Plainspeak:
· This Rule has the benefit of being immune to file extension subterfuge. Variations on this
Rule could be used to great effect protecting executables.

104
• Plainspeak:
· Variations on this Rule could be used to great effect confining where these scripts could
be located in the file system.

105
106
• Plainspeak:
· PowerShell has an autocomplete function where only a subset of a switch's character count
need be supplied, and as long as PowerShell has enough unique characters of the intended switch to
determine what switch the user intends, then PowerShell will 'fill in' the rest of the switch's
characters.
· This simplistic example above does not account for this autocomplete behavior, but this can
be accounted for with fine-grained tuning.

107
108
109
• Plainspeak:
· Normally the focus would likely be on untrusted libraries, but this example serves to
demonstrate the functionality of the Match Type VTP_TRUST.

110
• Plainspeak:
· This could be used with granularity to oppose malware kill-chain procedures.

111
112
• Plainspeak:
· The Windows Subsystem for Linux, when run with privilege elevation, enables the user to
harm the Windows operating system, perhaps even surreptitiously to Windows-based antimalware
software.
· The two SIDs included are 'High Mandatory' and 'System Mandatory' Integrity Levels.
· The Subsystem will run using one of these Integrity Levels when the Subsystem is
started with privilege elevation.
· The Subsystem processes will run using Medium Integrity Level when the Subsystem is
started without privilege elevation.

· This Rule could be fine-grained to prevent running the Subsystem, altogether, or confine
privileged/unprivileged/disallowed use to specific users or groups.

113
• Plainspeak:
· AppInit_DLLs is a list of libraries (.dll) that exists in the x64 (when applicable) and x86
Software registry hives.
· Every user mode executable that loads user32.dll (almost all of them) will also load every
library listed in AppInit_DLLs.
· AppInit_DLLs is one of the worst 'features' in Windows, and stems all the way back from
Windows NT 3.1 in 1993.
· Even Mark Russinovich publicly deplores AppInit_DLLs.
· With Windows 6.0 in 2007 Microsoft officially deprecated AppInit_DLLs.
· Microsoft has never actually removed AppInit_DLLs, however, because many large vendors such
as Citrix continue to leverage it.
· https://helgeklein.com/blog/2015/10/citrix-xenappxendesktop-api-hooking-explained
· Since Windows 6.0 there are two concomitant registry values that attempt to harden it,
LoadAppInit_DLLs and RequireSignedAppInit_DLLs.
· These should be leveraged when possible, especially RequireSignedAppInit_DLLs.
· This Rule could be fine-grained to permit only certain actors manipulating AppInit_DLLs,
while allowing all others to read it.
· https://attack.mitre.org/wiki/Technique/T1103

114
• Plainspeak:
· Memory resident malware will often use this technique to implant malicious code within peer
processes (e.g. Mimikatz).
· Allocation of virtual addresses in the peer process allows sections to be created and
filled with such malicious code.
· This Rule will allow such behavior only from processes that belong to Microsoft or McAfee,
and only if those Microsoft or McAfee processes are not, themselves, injected by untrusted libraries.
· Microsoft and McAfee processes formerly lost VTP trust if they were injected by
untrusted libraries.
· This has been altered such that only the main process is checked for VTP trust
despite any injected modules.
· However, you may still configure VTP to trust additional third party libraries as
necessary through ENS policy.
· Such libraries must be digitally signed to be VTP trusted.
· https://attack.mitre.org/wiki/Technique/T1055

115
• Plainspeak:
· Memory resident malware will often use this technique to implant malicious code within peer
processes (e.g. Duqu).
· https://attack.mitre.org/wiki/Technique/T1093

116
• Plainspeak:
· Products using the commonly-implemented Electron Framework can be vulnerable to remote code
execution by exposed protocol handlers.
· https://nvd.nist.gov/vuln/detail/CVE-2018-1000006
· Additional References:
· https://electronjs.org/blog/protocol-handler-fix
· https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
· https://www.exploit-db.com/exploits/43899
· https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374

117
• Plainspeak:
· The Wise Force Deleter is a product that can break locks enabling deletion of almost any
file in the operating system.
· https://www.wisecleaner.com/wise-force-deleter.html

118
• Plainspeak:
· Process doppelgänging (e.g. SynAck) involves:
· Initiating an NTFS Transaction (TxF) file operation against a legitimate PE.
· Replacing the content of the PE with malicious code while the image file is
undergoing the TxF.
· Creating a section and loading the compromised PE.
· Rolling back the TxF operation to restore the compromised PE to its original state.
· Creating a process using the section and executing the process.

· Microsoft deprecated TxF but the capacity has not been removed from Microsoft Windows.
· https://attack.mitre.org/techniques/T1186

119
• Plainspeak:
· Windows Media Center on Windows 6.x, when unpatched, is vulnerable to network-hosted,
maliciously-crafted .mcl link files.
· https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509

120
• Plainspeak:
· The first AggregateMatch contains several of only one Match Type, so the logical OR applies
between them.
· The second AggregateMatch contains two differing Match Types, so the logical AND applies
between them.
· The Match Type AggregateMatch is not defined in documentation at this time.
· Professional Services has reported this documentation omission.

· https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs

121
• Plainspeak:
· Malware has often resorted to use of junctions, symbolic links, and hard links to disguise
its presence or to enable oblique access to targets.

122
123
• Plainspeak:
· This Rule, as written, will cause a hash operation against every file access occurring by
every process on the computer.

· Windows does not keep any 'hash cache' for every file in the file system.
· Some files accessible in various caches (such as the Standby List) might result in a quicker cache for an
individual file, but not the vast majority.

This Rule should result in continuous and noticeable performance

·
degradation, especially against spinning disks.

· The correct use of a 'hash' Match Type is to be more specific in the Initiator
Match as opposed to using 'all processes', put additional Match Type constraints
within the Target to minimize hashing, or a combination thereof.

124
• Plainspeak:
· A construction similar to a radix tree is used to conduct sorting.

· Radix trees are 'just how this kind of sorting in computers is done'.

· https://en.wikipedia.org/wiki/Radix_tree

· A double-asterisk implies 'anything, of any length, including folder separators such as / or \'.

· Radix trees are most useful when a non-variable character is in the first position.

· When a wildcard character, especially a multi-character wildcard, is in the first position

performance can noticeably degrade.
· The more underprovisioned, or perhaps busier, the computer's
CPU(s), the more noticeable.

· In the string's beginning, avoid using multi-character wildcards such as * or

**, and perhaps use single-character wildcards such as ?.
· The best use of a radix tree-dependent Match Type is to be more specific in
the beginning of the character string, or possibly to rethink the Rule's construction
based upon the desired outcome.

125
• Plainspeak:
· This command is blocked by the Rule: net.exe use

· This command is blocked by the Rule: net.exe use /persistent:yes

· This command is NOT blocked by the Rule: net.exe use * \\servername\sharename

· Any time a folder separator character appears in the string it can only be
accommodated by use of a double-asterisk: **

· Folder separator character is this: \

· Windows does not use the forward-slash character as a folder separator,

but rather as a switch (argument) character.
· Therefore, a single asterisk will account for the forward-slash.

· Considering: net.exe use * \\servername\sharename

· The use of this string: net.exe *

· Does not block due to the single-asterisk: *

126
 · Because the character: \
· Present in the substring: \\servername\sharename
· Is a folder separator.

· The command: Include PROCESS_CMD_LINE {-v "net.exe *"}

· Will NOT account for any backslash folder separators in
the command line.

· The use of this string: net.exe **

· Blocks due to the double-asterisk: **
· Because the character: \
· Present in the substring: \\servername\sharename
· Is a folder separator.

· The command: Include PROCESS_CMD_LINE {-v "net.exe **"}

· Will account for any backslash folder separators in the
command line.

126
• Plainspeak:

· Expert Rules currently cannot validate a signature inside a PowerShell script.

· Professional Services has reported this to Development.

127
• Plainspeak:

· Expert Rules syntax does not support utilizing 8.3 pathnames.

· However, an Expert Rule will protect an object called using its 8.3 pathname provided the
Expert Rule syntax utilizes the object's (non-8.3) long pathname.
· Beware when using AAC commands that return information which may be in 8.3 format because
the source was in 8.3 format.
· e.g.: 'iReg value' reading from a registry value that contains 8.3 format
pathnames within it.

128
129
130
131
132
133
134
135