cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

How to use Signer without knowing the entire string

Jump to solution

Say you have a piece of a known bad signer. How do you use stars (*) or other ways to only match on a piece of it? I'm having trouble with this and am starting to think it's not possible.

Testing example:

Internet explorer's singer is -

CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

But how do I match on just -

OU=MOPR

OU=MOPR* does not work, and you aren't allowed to put a * at the front of the string in the GUI. Maybe an expert rule is the only way if at all?

0 Kudos
1 Solution

Accepted Solutions
shakira
Level 10

Re: How to use Signer without knowing the entire string

Jump to solution

Good news. An expert subrule with stars in the front and back does work! The GUI however does not allow you to put a start at the front of the signer string.

The working rule (also firing on man yother microsoft .exe's as to be expected because they share the same cert):

Rule {

     tag "ie by signer sub 1"

     Class Program

     Id 5809

     level 3

     Executable { Include { -sdn "*OU=MOPR*" }

     }

     directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate      program:run programSmiley Surprisedpen_with_modify

}

Event:

------------------------------

04-24 08:44:35 [00408] VIOLATION: [3] ------- Violation ---- Size 1523 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="5809"

  SignatureName="ie by piece of signer"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

  IncidentTime="2014-04-24 08:44:33"

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="956"

  Session="0"

  SigRuleDirective="open_with_any"/>

  <Params>

    <Param name="Workstation Name" allowex="True">xxx</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

    <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

    <Param name="Target File Name" allowex="False">IEXPLORE.EXE</Param>

    <Param name="Target Path" allowex="False">C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">INTERNET EXPLORER</Param>

    <Param name="Target Fingerprint" allowex="False">c613e69c3b191bb02c7a191741a1d024</Param>

  </Params>

</Event>

Message was edited by: shakira on 4/24/14 7:49:12 AM CDT

Message was edited by: shakira on 4/24/14 7:50:32 AM CDT
0 Kudos
3 Replies
McAfee Employee

Re: How to use Signer without knowing the entire string

Jump to solution

But how do I match on just -

OU=MOPR

I do not believe this is possible.

0 Kudos
shakira
Level 10

Re: How to use Signer without knowing the entire string

Jump to solution

Darn

Any idea why it doesn't work with wildcards like the rest of the pieces in a rule do? I'm going to double check today with an expert rule.

0 Kudos
shakira
Level 10

Re: How to use Signer without knowing the entire string

Jump to solution

Good news. An expert subrule with stars in the front and back does work! The GUI however does not allow you to put a start at the front of the signer string.

The working rule (also firing on man yother microsoft .exe's as to be expected because they share the same cert):

Rule {

     tag "ie by signer sub 1"

     Class Program

     Id 5809

     level 3

     Executable { Include { -sdn "*OU=MOPR*" }

     }

     directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate      program:run programSmiley Surprisedpen_with_modify

}

Event:

------------------------------

04-24 08:44:35 [00408] VIOLATION: [3] ------- Violation ---- Size 1523 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="5809"

  SignatureName="ie by piece of signer"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

  IncidentTime="2014-04-24 08:44:33"

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="956"

  Session="0"

  SigRuleDirective="open_with_any"/>

  <Params>

    <Param name="Workstation Name" allowex="True">xxx</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

    <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

    <Param name="Target File Name" allowex="False">IEXPLORE.EXE</Param>

    <Param name="Target Path" allowex="False">C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">INTERNET EXPLORER</Param>

    <Param name="Target Fingerprint" allowex="False">c613e69c3b191bb02c7a191741a1d024</Param>

  </Params>

</Event>

Message was edited by: shakira on 4/24/14 7:49:12 AM CDT

Message was edited by: shakira on 4/24/14 7:50:32 AM CDT
0 Kudos