I am trying to make a rule which detects and mitigates specific registry changes. The rule will need to utilize wildcards as the Key, Name and Data may vary.
I can detect a static and dynamic Key and Name creation/modification without any issues, but fail when trying to utilize the Data field of the registry.
The Data field is referenced by old_data and new_data in custom HIPS signatures and must be in hex format.
Can we use wildcards in the new_data section? Please give us some examples that work.
The new_data & old_data parameters do not need to be specified. If you do not enter them in, assume that that parameter exists as a * wildcard. If you trying to prevent registry changes to a specific key, just specify which key is to be protected and any changes will be prevented.
Message was edited by: ktankink on 3/14/12 5:45:56 PM CDT
We would like to prevent registry modifications where new_data == C:\WINDOWS\system32:*.exe*
This pattern is indicative of a named pipe being run from the system folder, typically malicious.
The hex for this would be 433a5c57494e444f57535c73797374656d33323a2a2e6578652a
Does using 2a to represent an * result in wildcard behavior when evaluated by HIPS or is it just an asterisk character?
2a (or 2a00 in my testing) represent the literal * character. If you want to write up a custom signature that protects registry values from having "c:\windows\system32\<filename>.exe" from being used, you will need to write it as an Expert subrule (Standard subrules don't have the ability to input "new_data" parameters). I can PM you the code I used to prevent values from being written with this directory path. Basically, you need to find the values for the path above, but insert a ** in the TCL code so that a wildcard * is used.
I don't mean to hijack the thread but this is an answer I have been searching for, going on 4 weeks now. I have not been able to open a ticket with our McAfee support team (as we no longer control the support license agreement) which I feel will answer my question. I would also love to see the expert subrule syntax and format so we can POC and start testing changes. Is it possible you could PM me as well?
Thank you in advance
For the thread:
The HIPS IPS parameter entries (new_data, old_data, etc.) entries are converted to 4-bit hex values. See KB69120.
So the hex value for c:\windows\system32\ would be:
c:\windows\system32\ 63003a005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0 0
So in the IPS Signature, put an ** between these lines and after to create a rule that monitors any values of: c:\windows\system32\*.exe*
The * characters are wildcard characters, not literal * characters. Double ** characters are necessary for HIPS 8.0, due to how a single * and double ** function. See page 104 of PD22894 for wildcard details.
NOTE: In my example, I used a \ character after system32, not your example of the : colon character. My mistake about that, but I wanted to stay consistent with my testing, after I noticed that. With that, the last 5c00 data value would change to 3a00 instead.
I'll PM you an example Expert Subrule that I used for testing. Your custom signature will need to modified for your needs.