MA 4.0 windows
HIPs 7.0 patch 6.0.1
I want to create a signature in HIPs that will generate an event whenever sc.exe is run on a system in my environment.
Under IPS rules, I tried creating a new signature under both the 'new signatue' button and with the 'add signature wizard' process. I tried various settings for severity level and tried it with and without allowing client rule creation. On a test box I would run sc.exe , and used wakeups for testing. I did wait for the IPS property translator to run , and in 2 cases let the settings run overnight.. it won't work.
Logging is set during testing to correspond with the severity level in the signature created.
I've been able to test multiple other signatures that I've created, and they've all worked. One example is a registry DWORD value change. If it goes from 1 to 0 zero, I created a signature to log and generate an event, and it worked just fine.
I can' t get an event to generate for sc.exe in particular. Any tips would be appreciated.
In your custom signature Subrule, try:
Rule type: Files
Operations: ALL (specifically create).
Parameters: Include Files sc.exe (or *\sc.exe)
I have tried what you have suggested, but it still didn't work. Also, we have found that when we run sc.exe to test the signature, we get an event consistently that reports a *different* event. The event we get states that a 'tool that enables the remote creation of services has run. Weird.