Dear all,
I want to set an expert rule on ENS Exploit prevention module thru EPO, i'm looking for a rule that allow me to take some actions over some files with their hash, searching in manuals, i got some syntax like this:
Rule {
Process {
Include OBJECT_NAME {
-v *
}
}
Executable {
Include -hash "9f06a55ab589386c3ef4a437d9b4ac2b"
-access "CREATE READ EXECUTE"
}
}
----------------------
This hash is just of a test file that i created. The thing is that when the policy is obtained by the endpoint, it just doesn´t work, when i check it locally it says that there is an error:
And when i check the error log:
08/08/2019 11:29:03.274 AM mfeesp(53096.53512) ApBl.BOPAP.Error (ApState.cpp:256): Syntax error: Unknown command
while executing
"Executable {
Include -hash "9f06a55ab589386c3ef4a437d9b4ac2b" -access "CREATE READ EXECUTE"
}"
invoked from within
"Rule -id "20000" { Reaction BLOCK Group "ExPExpertRules" Description "ExpertRuleChecker"
Process {
Include OBJECT_NAME {
-v **
}
}
Executab ..."
invoked from within
"Policy {Rule -id "20000" { Reaction BLOCK Group "ExPExpertRules" Description "ExpertRuleChecker"
Process {
Include OBJECT_NAME {
-v **
}
}
..."LastErr 0x000010dd The operation identifier is not valid.
08/08/2019 11:29:03.277 AM MFEConsole(60976.41508) MFEConsole.MFEConsole.Error (mfeux_extension.cpp:2150): BOPAP - invokeMethod ( [64537280,"CheckContent",{"RuleContent":"10.5.3.3134Policy {Rule -id \"20000\" { Reaction BLOCK Group \"ExPExpertRules\" Description \"ExpertRuleChecker\"\n\tProcess {\n\t\tInclude OBJECT_NAME {\n\t\t\t-v ** \n\t\t}\n\t}\n\tExecutable {\n\t\tInclude -hash \"9f06a55ab589386c3ef4a437d9b4ac2b\" -access \"CREATE READ EXECUTE\"\n\t\t}\n\t}\n\n\n}","ForceUpdate":true}]) : operation returned non-success: BL_ERROR_FAILED_REGISTRATION
-------------------------------------
I don't know exactly what can be bad, i tried with other different syntax, but i got the same error. The final goal is have a easy way to build rules bases on IoC, when the list is too large to use the conventional way to make rules (actually, i don't even know if its possible make an expert rule with actions for a hash list when any process is executed). Hope you can help me.
Best regards.
Solved! Go to Solution.
Yup.. now that I look at it I see the missing one. 🙂
Try this:
Rule {
Process {
Include OBJECT_NAME {
-v *
}
}
Target {
Match FILE {
Include MD5 {
-v "9f06a55ab589386c3ef4a437d9b4ac2a"
-v "9f06a55ab589386c3ef4a437d9b4ac2b"
-v "9f06a55ab589386c3ef4a437d9b4ac2c"
-v "9f06a55ab589386c3ef4a437d9b4ac2d"
-v "9f06a55ab589386c3ef4a437d9b4ac2e"
-v "9f06a55ab589386c3ef4a437d9b4ac2f"
-v "9f06a55ab589386c3ef4a437d9b4ac2g"
}
Include -access "CREATE READ EXECUTE"
}
}
}
Try this. I haven't checked it but I think that should work. I don't really do hash rules, but I think this covers it.
Rule {
Process {
Include OBJECT_NAME {
-v *
}
}
Target {
Match FILE {
Include MD5 { -v "9f06a55ab589386c3ef4a437d9b4ac2b"}
Include -access "CREATE READ EXECUTE"
}
}
If you are concerned about specific attacks, I would generally recommend focusing on the IOA rather than the IOC, as you won't have to worry about keeping up with a hash list. Just block the behavior. 🙂
Thanks! 😀, it worked well, I just needed to add 1 more close brace. Do you know if I can add more hash codes to the syntax?.
Yup.. now that I look at it I see the missing one. 🙂
Try this:
Rule {
Process {
Include OBJECT_NAME {
-v *
}
}
Target {
Match FILE {
Include MD5 {
-v "9f06a55ab589386c3ef4a437d9b4ac2a"
-v "9f06a55ab589386c3ef4a437d9b4ac2b"
-v "9f06a55ab589386c3ef4a437d9b4ac2c"
-v "9f06a55ab589386c3ef4a437d9b4ac2d"
-v "9f06a55ab589386c3ef4a437d9b4ac2e"
-v "9f06a55ab589386c3ef4a437d9b4ac2f"
-v "9f06a55ab589386c3ef4a437d9b4ac2g"
}
Include -access "CREATE READ EXECUTE"
}
}
}
I tried in the same way and it worked fine!, now i think that i have a better understading of syntax when you are building the rule, thanks for all!.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA