cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Yasar
Level 7
Report Inappropriate Content
Message 1 of 4

Exploit Prevention TEST

Hi,

we have mcafee epo and we have enabled the Exploit prevention feature.. But now i want to test the  Exploit Prevention  so i follow this article but still unable to achieve.  https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

i have performed the below steps but no luck please correct me

1- Enable  Exploit Prevention features under the assigned policy 

2-under filter enable the all features include buffer flow and files, process, regedit etc,. and enable the status.

3-added the expert rules with severity-information, then action-report, Rule type  process  and saved the rule.

4- enforce the policy and after i can see recently created rules its showing in target machine under exploit. 

5- in target machine when check its showing success.

6-downlaod payload from internet and ran the below cmd to test the exploit but i dont get any event in epo under exploit event

mavinject.exe PROCESSID /INJECTRUNNING Path\To\Payload.dll

 

  • could you please guide me the steps to perform as we need to demonstrate to client. you prompt reply will be highly appreciated 
  •  

 

3 Replies
aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Exploit Prevention TEST

lets move this to the ENS group for proper visibility, im doing that now 

Re: Exploit Prevention TEST

Most memory protection rules are disabled by default within ENS, so you need to go enable those.  However, I'm not so sure that there is a specific out-of-box rule that covers Mavinject in Exploit Prevention (maybe ATP? I haven't tested it).  

You could cover this a couple of ways.  

1) Protect against Mavinject writing to memory with the following rule:

Rule {
	Process {
		Include OBJECT_NAME { -v "mavinject.exe" }
	}
	Target {
		Match PROCESS { 
			Include OBJECT_NAME { -v "**" }
			Include -nt_access "!0x00020"
		}
	}
}

 

Or suppress the command line:

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS { 
			Include OBJECT_NAME { -v "mavinject.exe" }
			Include PROCESS_CMD_LINE { -v "**injectrunning**" }
			Include -access "CREATE"
		}
	}
}

 

The best way to protect against memory attacks is to enable ATP, set DAC to Contain and Unknown and block memory write access in DAC, then enable JTI rule 517 and relevant Exploit Prevention rules. 

DAVE

Yasar
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Exploit Prevention TEST

Dear Support,

 

Thanks for reply, as i am trying to setup buffer flow but i dont get check option in client side, and also not getting event...

here the buffer flow rule below

 

Rule {
time {Include "*"}
application {Include "c:\\temp\\iexplore.exe"}
user_name {Include "*"}
attributes -no_trusted_apps -not_auditable
directives "-d" "-c" "bo:stack" "bo:heap"
}

 

but  dont get check option, for buffer overflow please advise what changes i need to do to run payload.dll with mavinject.exe

please advise

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community