3 Replies Latest reply on Feb 18, 2014 3:56 PM by shakira

    Understanding the Hook class for custom rules

    shakira

      Anyone have any information on writing rules for the hook class? I'm trying to understand exactly what it does and the documentation is incredibly brief for it. A thorough explanation would help!

       

      What is the easiest way to get it to fire? What kernel call/s is it looking for? It is user and kernel hooking? What is an example rule and scenario? Any info would help!

        • 1. Re: Understanding the Hook class for custom rules
          shakira

          Hmm no one has an answer?

          • 2. Re: Understanding the Hook class for custom rules
            shakira

            Is there anything more that can be done for the hook class then "on/off" as seen below?

             

            Rule {

                            Class Hook

                            Id xxx

                            level x

                            application { Include "*" }

                            directives -c -d hook:set_windows_hook

                    }

             

             

            I guess I'm wondering if there are more directives to leverage, and what -c and -d mean? Anything more that can be done with hooks?

            • 3. Re: Understanding the Hook class for custom rules
              shakira

              After some testing it looks as though the Hook rule is nothing but the directive "program:open_with_create_thread" for the Program class. It is also extremely loud as it's basically using stars for app and target. No wonder McAfee didn't do anything with it yet:

               

               

               

              02-18 16:48:45 [00368] VIOLATION: [1] ------- Violation  Logged ---- Size 1512 ----

              <Event> <!-- Level=Med, Reaction=Log -->

                <EventData

                SignatureID="6010"

                SignatureName="Generic Application Hooking Protection"

                SeverityLevel="3"

                Reaction="2"

                ProcessUserName="NT AUTHORITY\SYSTEM"

                Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

                IncidentTime=""

                AllowEx="True"

                SigRuleClass="Program"

                ProcessId="2892"

                Session="0"

                SigRuleDirective="open_with_create_thread"/>

                <Params>

                  <Param name="Workstation Name" allowex="True"></Param>

                  <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                  <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                  <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

                  <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

                  <Param name="Target File Name" allowex="False">PING.EXE</Param>

                  <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\PING.EXE</Param>

                  <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                  <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                  <Param name="Target Description" allowex="False">TCP/IP PING COMMAND</Param>

                  <Param name="Target Fingerprint" allowex="False">6242e3d67787ccbf4e06ad2982853144</Param>

                </Params>

              </Event>

               

              Message was edited by: shakira on 2/18/14 3:56:45 PM CST