1 2 Previous Next 15 Replies Latest reply on Jun 3, 2013 11:33 AM by inthehills

    Custom Sig - Registry Protection

      Kary,

       

      I have configured the registry to manage USB devices per company policy and now I am trying to develop a HIP7 Custom Sig to protect those keys.

       

      I have built a Custom Sig with the following:

       

      Type - Host IPS

      Severtiy - High

      Type - Registry

      Operation (checked) - Create / Delete / Modify / Change Permissions

      Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restriction s\*

       

      But this didnt work so I have tried adding:

      Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restriction s\AllowedDeviceIDs\

      Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restriction s\DeniedPolicy\

       

      I can still navigate right to and modify or delete these Registry Keys.

       

      What am I missing???

       

      John

        • 1. Re: Custom Sig - Registry Protection
          greatscott

          are you positive you are blocking highs? Perhaps you could try it as an expert subrule versus the checked options. it would look like this:

           

          Rule {

          tag indicator 1

          Class Registry

          Id 9999

          level 4

          keys { Include"\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Res triction s\AllowedDeviceIDs\" "\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictio n s\DeniedPolicy\" }

          directives registry:delete registry:modify registry:create

          }

           

          Message was edited by: greatscott on 5/30/13 8:54:57 AM CDT
          • 2. Re: Custom Sig - Registry Protection

            GreatScott.

             

            I am 100% sure that I am blocking highs because I have had a few other (unrelated) events triggered while working on this.

             

            This is what the Preview looks like with what I currently have configured.

             

            Rule {

            tag "Registry Protection"

            Class Registry

            Id 9999

            level 4

            keys { Include\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceInstall\\Rest rictions\* " }

            directives -c -d  registry:permissions registry:delete registry:modify registry:create

            }

             

            But since I posted this an interesting thing happened. An event was actually triggered!!! I think it was GPO cleaning up the registry that it did not think belonged. But the crazy part is that it kept the two Keys (AllowedDeviceIDs & DeniedPolicy) but wiped out the values and data. the event claimed to have blocked the attempted deletion but it sure does not seem that way to me.

             

            I know I must be missing something somewhere but I sure cant figure it out. I am going to take the test system offine until I can get the Signature blocking everything so that GPO does not wipe everything out again.

             

            any help is GREATLY appreciated.

            • 3. Re: Custom Sig - Registry Protection
              greatscott

              when testing signatures, i sometimes have issues getting the registry class of signatures to fire when working within the registry editor GUI. meaning, if i create or modify a registry key that I have a signature set to trigger on, it wont trigger. one thing I have learned is that if you use the command line to do your registry edits, you will get the signature to fire. next time you are testing, use an elevated command prompt and say "reg add hklm_classes_root\the rest of the key here\etc" it should fire when you do it this way.

              • 4. Re: Custom Sig - Registry Protection

                I really need it to fire if a user tries to make changes via regedit or cmd line.

                 

                Do you know what the "-c -d" mean?

                 

                Should the a\b\c\d\Restrictions\* also include protection for the two keys under it?

                • 5. Re: Custom Sig - Registry Protection

                  GreatScott,

                   

                  You are indeed correct it does trigger using the cmd line. What else can I do to protect the Reg Keys from modification or deletion via RegEdit?

                  • 6. Re: Custom Sig - Registry Protection
                    greatscott

                    you may just want to create a signature to prevent users from using regedit.

                    • 7. Re: Custom Sig - Registry Protection

                      It also seems to trigger and block mmc.exe when I try to edit GPO.

                       

                      Kary - Any ideas?

                      • 8. Re: Custom Sig - Registry Protection
                        Kary Tankink
                        I have configured the registry to manage USB devices per company policy and now I am trying to develop a HIP7 Custom Sig to protect those keys.

                        Per the below KB articles, I would not use HIPS for managing USB devices (applies to HIPS 7.0 as well); McAfee DLP is recommended.

                         

                        KB73399 - FAQs for Host Intrusion Prevention 8.0

                         

                        Can I use Host IPS 8.0 to block access to USB devices?
                        Not effectively. It is possible to block access to USB devices utilizing a custom IPS signature with Host IPS 8.x. However, there are current security limitations when using an IPS signature. To efficiently block USB devices, use McAfee Data Loss Prevention.

                        • 9. Re: Custom Sig - Registry Protection
                          Kary Tankink

                          I tested it in HIPS 7.0 and couldn't get it to trigger on regedit.exe (not sure why).  I tried it in HIPS 8.0 and it works perfectly.

                           

                          _2013-05-31_16-31-36.jpg

                           

                          reg.jpg

                          1 2 Previous Next