Published on
 // 6 min read

Automating the Essential Eight Assessment Guide


A couple of weeks ago the Australian Cyber Security Centre (ACSC) released an assessment guide for the Essential Eight. If you're not familiar with the Essential Eight it's a collection of cybersecurity strategies to harden your infrastructure, and make it much harder for adversaries to compromise systems.

One of the Essential Eight strategies is Application Control, and the assessment guide includes a small test you can use to assess implementation, like this one:

To check if application control is implemented within the user profile directory, attempt to run a benign executable file inside the directory. The executables tested should cover .exe, .com, .dll, .ocx, .ps1, .bat, .vbs, .js, .msi, .mst, .msp, .chm, .hta, and .cpl. If any of the executables run within the user profile directory or operating system temporary folders, application control is ineffective.

If you're thinking - "Hang on. That sounds like the functional verification approach for application control that you automated in the last blog" - then you'd be right!

So can we take the same approach for Windows? The answer is a definitive yes!

Ansible + Windows

Ansible supports Windows automation, and has several modules that we're going to use to automate functional verification tests:

  • win_get_url This module simply downloads files. We'll use this to pull down a benign binary and run it on our Windows 10 desktop.

  • win_unzip The benign binary we pull down will be in a zip, and we'll use this module to unarchive it.

  • win_cmd Like the name says, we'll use this module to run commands on the Windows 10 desktop.

  • win_file We'll use this module to clean up the files we download to perform the test.

I've setup this Windows 10 desktop with the OpenSSH Server feature for Windows. This is still in a beta and isn't ready for production, but it's great for testing out some of this automation over SSH. If you want to run this in production, the WinRM capability is supported.

Windows 10 OpenSSH Server

Creating the Essential Eight verification playbook

We have the Essential Eight strategy we want to test identified (application control); we have our Windows 10 desktop configured; and we've identified the Ansible modules we want to use for this automated test. Here's the completed playbook, based on the previous one we created for Linux:

- name: Application control functional assessment
  hosts: win10
  gather_facts: no
  remote_user: admin

    - block:
      - name: Collect a file to execute
          dest: C:\Users\admin\

      - name: Unarchive the tar-ball
          dest: C:\Users\admin
          remote_src: yes

      - name: Execute the binary
        ansible.builtin.win_command: '"C:\Users\admin\cowsay.exe" "mooooo"'
        register: cowsay_cmd
        failed_when: cowsay_cmd.rc == 0

        - name: Catch any failures
            msg: "The verification test failed! You should definitely investigate this."  

        - name: Clean up testing files
            state: absent
            dest: "{{ item }}"
            - C:\Users\admin\
            - C:\Users\admin\cowsay.exe
            - C:\Users\admin\LICENSE
            - C:\Users\admin\doc

Similar to our Linux example, we're using the Ansible failed_when syntax to indicate that this command has successfully executed, but that indicates failure for our test.

Let's run it:

LAY [Application control functional verification] ******************************************************************************************************************************

TASK [Collect a file to execute] ************************************************************************************************************************************************
changed: []

TASK [Unarchive the tar-ball] ***************************************************************************************************************************************************
changed: []

TASK [Execute the binary] *******************************************************************************************************************************************************
fatal: []: FAILED! => {"changed": true, "cmd": "\"C:\\Users\\admin\\cowsay.exe\" \"mooooo\"", "delta": "0:00:00.219089", "end": "2022-12-07 21:22:52.653780", "failed_when_result": true, "rc": 0, "start": "2022-12-07 21:22:52.434690", "stderr": "", "stderr_lines": [], "stdout": " ________ \n< mooooo >\n -------- \n        \\   ^__^\n         \\  (oo)\\_______\n            (__)\\       )\\/\\\n                ||----w |\n                ||     ||\n", "stdout_lines": [" ________ ", "< mooooo >", " -------- ", "        \\   ^__^", "         \\  (oo)\\_______", "            (__)\\       )\\/\\", "                ||----w |", "                ||     ||"]}

TASK [Catch any failures] *******************************************************************************************************************************************************
ok: [] => {
    "msg": "The verification test failed! You should definitely investigate this."

TASK [Clean up testing files] ***************************************************************************************************************************************************
changed: [] => (item=C:\Users\admin\
changed: [] => (item=C:\Users\admin\cowsay.exe)
changed: [] => (item=C:\Users\admin\LICENSE)
changed: [] => (item=C:\Users\admin\doc)

PLAY RECAP **********************************************************************************************************************************************************************             : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=1    ignored=0

Success! The command successfully executed on our Windows 10 desktop - meaning this application control test failed, and displayed a message. We could also log tickets with ServiceNow, using the Ansible collection for ServiceNow.

Happy automating!