cancel
Showing results for 
Search instead for 
Did you mean: 
c14us
Level 7

Create custom rule from system events (in this case specific event ID 4688)

Hi

Have anyone experience with reverse creating hips expert rule from MS Events?

In this scenario regedit.exe is opened with UAC promt. Showing MS event ID 4688 (TokenElevationTypeLimited (3) aka access granted) and a process monitor read out at the same time.

What I intend to do is log every TokenElevationTypeLimited (3) event for executables. Can anyone help?
I presume it can be done via making a HIPS Custom rule for logging  the (FILE LOCKED WITH ONLY READERS) seen in the process monitor. It's an CreateFileMapping object (https://msdn.microsoft.com/en-us/library/aa366537(v=vs.85).aspx)

It's a bit difficult to make alarm based on data from process monitor. Any help will be appriciated.
Problems testing this scenario is. What HIPS alarms correlate to CreateFileMapping? And then.. Is there a parameter in the HIPS expert rules for detecting "FILE LOCKED WITH ONLY READERS"?

Event log and Process Monitor log:


MS Security Event 4688

A new process has been created.

Subject:
Security ID:  PWCDK\DKCLB
Account Name:  dkclb
Account Domain:  PWCDK
Logon ID:  0xa6192

Process Information:
New Process ID:  0x2854
New Process Name: C:\Windows\regedit.exe
Token Elevation Type: TokenElevationTypeLimited (3)
Creator Process ID: 0x156c
Process Command Line:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4688</EventID>
  <Version>1</Version>
  <Level>0</Level>
  <Task>13312</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2015-09-30T10:44:01.423252000Z" />
  <EventRecordID>7535999</EventRecordID>
  <Correlation />
  <Execution ProcessID="4" ThreadID="84" />
  <Channel>Security</Channel>
  <Computer>X240-PF00YDTX.dk.ema.ad.pwcinternal.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-1779530495-94190729-1823309332-29370</Data>
  <Data Name="SubjectUserName">dkclb</Data>
  <Data Name="SubjectDomainName">PWCDK</Data>
  <Data Name="SubjectLogonId">0xa6192</Data>
  <Data Name="NewProcessId">0x2854</Data>
  <Data Name="NewProcessName">C:\Windows\regedit.exe</Data>
  <Data Name="TokenElevationType">%%1938</Data>
  <Data Name="ProcessId">0x156c</Data>
  <Data Name="CommandLine" />
  </EventData>
  </Event>

Process Monitor

12:44:01,4228198 Explorer.EXE 5484 CreateFile C:\Users\DKCLB SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
12:44:01,4228856 Explorer.EXE 5484 QueryBasicInformationFile C:\Users\DKCLB SUCCESS CreationTime: 16-12-2014 13:46:35, LastAccessTime: 30-09-2015 12:18:03, LastWriteTime: 30-09-2015 12:18:03, ChangeTime: 30-09-2015 12:18:03, FileAttributes: D
12:44:01,4229107 Explorer.EXE 5484 CloseFile C:\Users\DKCLB SUCCESS
12:44:01,4230627 Explorer.EXE 5484 CreateFile C:\Windows\regedit.exe SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
12:44:01,4235105 Explorer.EXE 5484 CreateFileMapping C:\Windows\regedit.exe FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection:
12:44:01,4236246 Explorer.EXE 5484 CreateFileMapping C:\Windows\regedit.exe SUCCESS SyncType: SyncTypeOther
12:44:01,4237173 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys
12:44:01,4238006 Explorer.EXE 5484 QuerySecurityFile C:\Windows\regedit.exe SUCCESS Information: Label
12:44:01,4238538 Explorer.EXE 5484 QueryNameInformationFile C:\Windows\regedit.exe SUCCESS Name: \Windows\regedit.exe
12:44:01,4244939 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\ SUCCESS Desired Access: All Access
12:44:01,4245726 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\regedit.exe NAME NOT FOUND Desired Access: All Access
12:44:01,4246327 Explorer.EXE 5484 RegCloseKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual SUCCESS
12:44:01,4247429 Explorer.EXE 5484 Process Create C:\WINDOWS\regedit.exe SUCCESS PID: 10324, Command line: "C:\WINDOWS\regedit.exe"

0 Kudos
1 Reply
shakira
Level 10

Re: Create custom rule from system events (in this case specific event ID 4688)

The quick answer to your question is no, you cannot make HIPS look for the specific things you want to look at. HIPS is limited to the directives/check boxes (run, create, delete, etc), and a parameter which is usually the name of a file/directory/process/reg or value. That said, a "file - create" rule might catch "CreateFileMapping", but there will be no way to determine if it was "FILE LOCKED WITH ONLY READERS"

The longer answer is that yes you can use procmon to determine what rules you can write for HIPS. You can start by filtering on everything that is a Create, Delete, Open, Write, Read access type. Those can be the basis for the directives and parameters you use to write a HIPS rule with.

Good examples of rules you can make form your procmon data:


12:44:01,4228198 Explorer.EXE 5484 CreateFile C:\Users\DKCLB SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened


12:44:01,4230627 Explorer.EXE 5484 CreateFile C:\Windows\regedit.exe SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened


12:44:01,4244939 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\ SUCCESS Desired Access: All Access


12:44:01,4245726 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\regedit.exe NAME NOT FOUND Desired Access: All Access


12:44:01,4247429 Explorer.EXE 5484 Process Create C:\WINDOWS\regedit.exe SUCCESS PID: 10324, Command line: "C:\WINDOWS\regedit.exe"


Sometimes you can even get lucky and a certain directive will catch on something that doesn't totally make sense at first. For instance, the file create directive will trigger on any DLL load event. The process needs to create a handle to the DLL to do that after all, doesn't it?

Practically speaking, you're going to need to find a unique event HIPS can trigger on in your procmon logs. Else you'll be reduced to watch explorer.exe running regedit as an alert. This said, you probably won't find something that is 100% true positive/high fidelity with this product.

0 Kudos