BT25-01

• Block Rules based on COM Object Publisher Matching: EPM-W currently supports blocking of COM objects based on publisher matching. However, only the COM objects that require elevation are supported, which means our customers can create a block rule for COM objects that require elevation based on matching/not matching publishers. It is worth noting that this mitigation would not mitigate the abuse attempts against COM objects that do not require elevation.

• Setting Process Mitigations for Elevated Processes: If EPM-elevated processes load COM objects, then system admins can enable process mitigations (e.g., Code Integrity Guard) for the applications to be elevated by EPM-W if enabling them will not break the functionality of the application. Enabling the relevant process mitigation can prevent a non-Microsoft signed DLL being loaded into the specified application, hence can mitigate the abuse attempts.

• Monitoring / Preventing Users Modifying Registry: As a mitigation, customers can also use Group Policy Objects to prevent users from editing the following registry hives:

HKEY_CURRENT_USER\Software\Classes\CLSID

HKEY_CLASSES_ROOT\CLSID

HKEY_CLASSES_ROOT\WOW6432Node\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID

In addition, customers should also monitor the mentioned registry hives for potential abuse attempts. Note that it is possible for a user to modify those registry hives via tools such as command prompt, PowerShell and PowerShell ISE, Registry Editor, SetX, Reg, and WMIC. Therefore, monitoring the creation of such processes can be useful to detect potential abuse attempts.