I've been working on a FireWire Attack POC using Inception (possibly dangerous link removed by Moderator) and it looks like the attack is being thwarted by McAfee HIPS although all I can see is generic intrusion events in the HIPS log.
Can anybody confirm that McAfee HIPS is capable of doing this?
Thanks a lot
You can see the full HIPs event in the log file on the endpoint it happened on. It should be under Appdata\roaming\McAfee something something.... \hipsshield.log
Quick and dirty way of seeing if HIPS is successfully defending = disable HIPS and rerun the test - confirm that the attack actually works first, before enabling HIPS protection. I will add the standard caveats of ensuring you are in a controlled, segregated environment. If the attack works, restore victim and rerun test to see if it fails. If you are getting a large number of events that appear to be related, you will need to do some tuning first (ie leave the victim running for a while, look at 'standard' events and try to tune out the noise) then rerun the attack test. Path to HipShield.log here. Ok, hyperlinks still not working! Link here: https://kc.mcafee.com/corporate/index?page=content&id=KB51517
It could be the case that the protection against this attack is offered via one of the generic signatures - would be grand if you could follow up with results if possible?