5 Replies Latest reply: Jan 17, 2014 9:13 AM by shakira RSS

    Custom HIPS rule to deny creation of Reg Key

    c14us

      I’m aiming to deny creation of a registry key [HKCU\Software\CryptoLocker]

       

      But I can only get it to respond to registry deletion of the key, with the below code. It will not deny the creation of the key.

      I've tried dusins of variation, but have not succeded in getting the correct setup.

      Hope someone can help me.

       

      Regards

      Claus

       

       

       

       

      Rule {

      tag "CryptoLocker Registry Protection 3 test"

      Class Registry

      Id 4005

      level 4

      keys { Include "\\REGISTRY\\CURRENT_USER\\*\\CryptoLocker" }

      directives registry:permissions registry:delete registry:modify registry:create

      }