cancel
Showing results for 
Search instead for 
Did you mean: 

6010 (Generic Application Hooking Protection) example using CMD and NETSTAT

Hi,

This post is for information only, although comments and feedback are welcome.  I will be cross referencing this post in future posts that related to the operational aspect of HIPS. Enabling signature 6010 (default = disabled) and mapping to a severity with an action of at least log, the events below are seen in the HipShield.log file on the protected endpoint.  Following these events, the event as shown in ePO is also displayed. To create the events, the following actions were taken:

11:55 - cmd.exe opened (Windows menu, cmd, then enter)

11:56 - netstat -aon ran from command prompt

11:57 - command prompt closed using exit command

From the events, an exception was created using the menu options available (Actions | New Exception (Host IPS 8.0))

HIPSHIELD.LOG:


k10-21 11:55:04.135 Alert: 0x4,4dc Log event matching sig 6010

10-21 11:55:07 [02504] VIOLATION: [1] ------- Violation  Logged ---- Size 1502 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="6010"

  SignatureName="Generic Application Hooking Protection"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="Win7host\Win7"

  Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

  IncidentTime="2014-10-21 11:55:04"

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="904"

  Session="1"

  SigRuleDirective="open_with_create_thread"/>

  <Params>

    <Param name="Workstation Name" allowex="True">WIN7HOST</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

    <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

    <Param name="Target File Name" allowex="False">CMD.EXE</Param>

    <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\CMD.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">WINDOWS COMMAND PROCESSOR</Param>

    <Param name="Target Fingerprint" allowex="False">ad7b9c14083b52bc532fba5948342b98</Param>

  </Params>

</Event>

k10-21 11:56:16.026 Alert: 0x4,4dc Log event matching sig 6010

10-21 11:56:17 [02504] VIOLATION: [1] ------- Violation  Logged ---- Size 1507 ----

<Event> <!-- Level=Med, Reaction=Log -->

  <EventData

  SignatureID="6010"

  SignatureName="Generic Application Hooking Protection"

  SeverityLevel="3"

  Reaction="2"

  ProcessUserName="Win7host\Win7"

  Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

  IncidentTime="2014-10-21 11:56:16"

  AllowEx="True"

  SigRuleClass="Program"

  ProcessId="904"

  Session="1"

  SigRuleDirective="open_with_create_thread"/>

  <Params>

    <Param name="Workstation Name" allowex="True">WIN7HOST</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

    <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

    <Param name="Target File Name" allowex="False">NETSTAT.EXE</Param>

    <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\NETSTAT.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

C=US</Param>

    <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Target Description" allowex="False">TCP/IP NETSTAT COMMAND</Param>

    <Param name="Target Fingerprint" allowex="False">32297bb17e6ec700d0fc869f9acaf561</Param>

  </Params>

</Event>

EVENTS IN EPO:


01 - Events.JPG

02 - ePO event 1a.JPG

02 - ePO event 1b.JPG

03 - event 2a.JPG

03 - event 2b.JPG

EXCEPTIONS CREATED USING ACTIONS | NEW EXCEPTION:


04 - exceptions summary.JPG

05 - exception 1.JPG

06 - exception 2.JPG