For those of you that are aware of Open Indicators of Compromise (OpenIOC) might be able to answer this.
I was wondering if you have done any experiments replicating the IOC framework within custom HIPS signatures, or whether it's even possible to get the same level of detail that the OpenIOC provides.
I've included an example screen shot of how you configure it within OpenIOC to spot a Zeus infection. Any suggestions on writing rules like this in HIPS would be most welcome.
I also added one from STUXNET (top one).
Message was edited by: mrwh1t3 on 10/3/12 8:57:33 PM CDT
I believe I found the answer to my question (sort of). I don't believe it can be fully duplicated within HBSS, but I think using Policy Auditor and creating custom checks will give you an 80% - 90% solution.