Deploy Microsoft Sysmon Detection Rules



Kevin Beaumont has provided guidance for creating rules to detect exploitation of this vulnerability.



Set ACLs on the C:\Windows\Tasks directory



Karsten Nilsen has provided a mitigation for this vulnerability. Caution: This mitigation has not been approved by Microsoft. However, in our testing it does block exploits for this vulnerability. It also appears to let scheduled tasks to continue to run, and users can continue to create new scheduled tasks as necessary. However, this change will reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates. Please ensure that you have tested this mitigation to ensure that it does not cause unacceptable consequences in your environment.



To apply this mitigation, run the following commands in an elevated-privilege prompt,:



icacls c:\windows\tasks /remove:g "Authenticated Users"

icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)



Note that when a fix is made available for this vulnerability, these changes should be undone. This can be done by executing the following commands:



icacls c:\windows\tasks /remove:d system

icacls c:\windows\tasks /grant:r "Authenticated Users":(RX,WD)