1 2 Previous Next 11 Replies Latest reply: Mar 11, 2014 2:10 PM by Kary Tankink RSS

    Custom Rules in HIPS 7, specifically new_data

    jpeg9999

      I am trying to make a rule which detects and mitigates specific registry changes.  The rule will need to utilize wildcards as the Key, Name and Data may vary.

       

      I can detect a static and dynamic Key and Name creation/modification without any issues, but fail when trying to utilize the Data field of the registry.

       

      The Data field is referenced by old_data and new_data in custom HIPS signatures and must be in hex format.

       

      Can we use wildcards in the new_data section?  Please give us some examples that work.

        • 1. Re: Custom Rules in HIPS 7, specifically new_data
          Kary Tankink

          The new_data & old_data parameters do not need to be specified.  If you do not enter them in, assume that that parameter exists as a * wildcard.  If you trying to prevent registry changes to a specific key, just specify which key is to be protected and any changes will be prevented.

           

          Message was edited by: ktankink on 3/14/12 5:45:56 PM CDT
          • 2. Re: Custom Rules in HIPS 7, specifically new_data
            jpeg9999

            We would like to prevent registry modifications where new_data == C:\WINDOWS\system32:*.exe*

             

            This pattern is indicative of a named pipe being run from the system folder, typically malicious.

             

            The hex for this would be 433a5c57494e444f57535c73797374656d33323a2a2e6578652a

             

            Does using 2a to represent an * result in wildcard behavior when evaluated by HIPS or is it just an asterisk character?

            • 3. Re: Custom Rules in HIPS 7, specifically new_data
              Kary Tankink

              2a (or 2a00 in my testing) represent the literal * character.  If you want to write up a custom signature that protects registry values from having "c:\windows\system32\<filename>.exe" from being used, you will need to write it as an Expert subrule (Standard subrules don't have the ability to input "new_data" parameters).  I can PM you the code I used to prevent values from being written with this directory path.  Basically, you need to find the values for the path above, but insert a ** in the TCL code so that a wildcard * is used.

              • 4. Re: Custom Rules in HIPS 7, specifically new_data
                zaloorb

                Kary,

                 

                I don't mean to hijack the thread but this is an answer I have been searching for, going on 4 weeks now. I have not been able to open a ticket with our McAfee support team (as we no longer control the support license agreement) which I feel will answer my question. I would also love to see the expert subrule syntax and format so we can POC and start testing changes. Is it possible you could PM me as well?

                 

                Thank you in advance

                • 5. Re: Custom Rules in HIPS 7, specifically new_data
                  jpeg9999

                  Kary,

                   

                  Please PM me your code.  I believe this will be the correct answer.

                  • 6. Re: Custom Rules in HIPS 7, specifically new_data
                    Kary Tankink

                    For the thread:

                     

                    The HIPS IPS parameter entries (new_data, old_data, etc.) entries are converted to 4-bit hex values.  See KB69120.

                     

                    String:     Hex:

                    a               6100

                    b               6200

                    c               6300

                     

                    So the hex value for c:\windows\system32\ would be:

                     

                    String:                                             Hex:

                    c:\windows\system32\                 63003a005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0 0

                     

                    .exe                                                  2e00650078006500

                     

                     

                    So in the IPS Signature, put an ** between these lines and after to create a rule that monitors any values of:  c:\windows\system32\*.exe*

                     

                         63003a005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0 0**2e00650078006500**

                     

                     

                    The * characters are wildcard characters, not literal * characters.   Double ** characters are necessary for HIPS 8.0, due to how a single * and double ** function.  See page 104 of PD22894 for wildcard details.

                     

                     

                    NOTE: In my example, I used a \ character after system32, not your example of the : colon character.  My mistake about that, but I wanted to stay consistent with my testing, after I noticed that.  With that, the last 5c00 data value would change to 3a00 instead.

                     

                    I'll PM you an example Expert Subrule that I used for testing.  Your custom signature will need to modified for your needs.

                    • 7. Re: Custom Rules in HIPS 7, specifically new_data
                      Kary Tankink

                      Strike that.  Single * characters will work as well.  Double ** characters are not required.

                      • 8. Re: Custom Rules in HIPS 7, specifically new_data
                        zaloorb

                        Excellent information Kary. Thank you for the prompt response.

                        • 9. Re: Custom Rules in HIPS 7, specifically new_data
                          jpeg9999

                          Yes, thank you Kary.  I have marked the correct answer.

                          1 2 Previous Next