2 Replies Latest reply on Mar 7, 2011 6:33 PM by rphillips

    Help with HIPS Event Please

    rphillips

      OVer the last couple weeks i have been monitoring a rapidly large amount of events starting to compile in one of my dashboards. We are seeing an increasingly large amount of the Following and i have been chasing my tail for a few days now trying to figure out a simialrity between machines and there isnt one that i can tell. both of the below are just 2 of the several thousand events that keep hitting up.

       

      There is no similarities in the machines as some are Windows 7 and Some are XPsp3 some are running IE8 and some are running IE7 Some are Running Outlook 2003 and some are Running Outlook 2007

       

       

      MACHINE A is one Event for Outlook

       

       

       

       

       

      Threat Source Process Name:C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
      Threat Source URL:file:///C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
      Threat Target Host Name:2RFWY91-D620
      Threat Target IPv4 Address:xxx.xxx.xxx.xxx
      Threat Target IP Address:0:0:0:0:0:ffff:a0d:13b
      Threat Target MAC Address:0015c545b5e6
      Threat Target User Name:
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:
      Event Category:Host intrusion (hip.Illegal_API_Use)
      Event ID:18000
      Threat Severity:Critical
      Threat Name:3776
      Threat Type:bad_parameter
      Action Taken:Permitted
      Threat Handled:false
      Analyzer Detection Method:

       

       

      Threat Event Descriptions 

       

      Event Description:Host intrusion detected and handled

       

       

      Endpoint Encryption 

       

      No addition information available.

       

       

      Host IPS Event Information 

       


      API Name CompatFlagsFromClsid
      Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
      Vulnerability Name Vulnerable ActiveX Control Loading A
      Workstation Name

      2RFWY91-D620

       

       

       

       

       

      Host IPS Event Information

       

      View Host IPS Event Description

      Event Description

      Malicious use of the API CompatFlagsFromClsid by C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE running with the privileges of user MAIN\_MStefan was detected on the system with Agent 2RFWY91-D620. The parameter(s) passed to the API are 10072CEC-8CC1-11D1-986E-00A0C955B42E.

      General Signature Description

      (Refer to KB article 51504 for details about supported platforms.) This event indicates that Internet Explorer attempted to create an ActiveX control using a CLSID which is found in publicly known exploits. These exploits attack a vulnerability in Internet Explorer Vector Markup Language that could allow remote attackers to execute arbitrary commands on the local system.

      References: CVE-2006-4868 CVE-2007-1749 

      Possible Signature Triggers

      If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561

       

      MACHINE B is stating IE

       

       

       

       

      Threat Source Process Name:C:\Program Files\Internet Explorer\iexplore.exe
      Threat Source URL:file:///C:\Program Files\Internet Explorer\iexplore.exe
      Threat Target Host Name:
      Threat Target IPv4 Address:xxx.xxx.xxx.xxx
      Threat Target IP Address:0:0:0:0:0:ffff:c0a8:144
      Threat Target MAC Address:00255651052f
      Threat Target User Name:
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:
      Event Category:Host intrusion (hip.Illegal_API_Use)
      Event ID:18000
      Threat Severity:Critical
      Threat Name:3776
      Threat Type:bad_parameter
      Action Taken:Permitted
      Threat Handled:false
      Analyzer Detection Method:

       

      Threat Event Descriptions 

       

      Event Description:Host intrusion detected and handled

       

      Endpoint Encryption 

       

      No addition information available.

       

      Host IPS Event Information 

       

      View Host IPS Event Description
      API Name CompatFlagsFromClsid
      Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
      Vulnerability Name Vulnerable ActiveX Control Loading A
      Workstation Name 25JXBK1-E6400