cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

Understanding the Hook class for custom rules

Anyone have any information on writing rules for the hook class? I'm trying to understand exactly what it does and the documentation is incredibly brief for it. A thorough explanation would help!

What is the easiest way to get it to fire? What kernel call/s is it looking for? It is user and kernel hooking? What is an example rule and scenario? Any info would help!

3 Replies
shakira
Level 10

Re: Understanding the Hook class for custom rules

Hmm no one has an answer?

0 Kudos
shakira
Level 10

Re: Understanding the Hook class for custom rules

Is there anything more that can be done for the hook class then "on/off" as seen below?

Rule {

                Class Hook

                Id xxx

                level x

                application { Include "*" }

                directives -c -d hook:set_windows_hook

        }

I guess I'm wondering if there are more directives to leverage, and what -c and -d mean? Anything more that can be done with hooks?

0 Kudos
shakira
Level 10

Re: Understanding the Hook class for custom rules

After some testing it looks as though the Hook rule is nothing but the directive "programSmiley Surprisedpen_with_create_thread" for the Program class. It is also extremely loud as it's basically using stars for app and target. No wonder McAfee didn't do anything with it yet:

02-18 16:48:45 [00368] VIOLATION: [1] ------- Violation  Logged ---- Size 1512 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="6010"

  SignatureName="Generic Application Hooking Protection"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

  IncidentTime=""

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="2892"

  Session="0"

  SigRuleDirective="open_with_create_thread"/>

  <Params>

    <Param name="Workstation Name" allowex="True"></Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

    <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

    <Param name="Target File Name" allowex="False">PING.EXE</Param>

    <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\PING.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">TCP/IP PING COMMAND</Param>

    <Param name="Target Fingerprint" allowex="False">6242e3d67787ccbf4e06ad2982853144</Param>

  </Params>

</Event>

Message was edited by: shakira on 2/18/14 3:56:45 PM CST
0 Kudos