3 Replies Latest reply: Apr 24, 2014 7:50 AM by shakira RSS

    How to use Signer without knowing the entire string

    shakira

      Say you have a piece of a known bad signer. How do you use stars (*) or other ways to only match on a piece of it? I'm having trouble with this and am starting to think it's not possible.

       

      Testing example:

       

      Internet explorer's singer is -

      CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

       

      But how do I match on just -

      OU=MOPR

       

      OU=MOPR* does not work, and you aren't allowed to put a * at the front of the string in the GUI. Maybe an expert rule is the only way if at all?

        • 1. Re: How to use Signer without knowing the entire string
          Kary Tankink

          But how do I match on just -

          OU=MOPR

          I do not believe this is possible.

          • 2. Re: How to use Signer without knowing the entire string
            shakira

            Darn

             

            Any idea why it doesn't work with wildcards like the rest of the pieces in a rule do? I'm going to double check today with an expert rule.

            • 3. Re: How to use Signer without knowing the entire string
              shakira

              Good news. An expert subrule with stars in the front and back does work! The GUI however does not allow you to put a start at the front of the signer string.

               

               

              The working rule (also firing on man yother microsoft .exe's as to be expected because they share the same cert):

               

              Rule {

                   tag "ie by signer sub 1"

                   Class Program

                   Id 5809

                   level 3

                   Executable { Include { -sdn "*OU=MOPR*" }

                   }

                   directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate      program:run program:open_with_modify

              }

               

               

              Event:

               

              ------------------------------

              04-24 08:44:35 [00408] VIOLATION: [3] ------- Violation ---- Size 1523 ----

              <Event> <!-- Level=Med, Reaction=Log -->

                <EventData

                SignatureID="5809"

                SignatureName="ie by piece of signer"

                SeverityLevel="3"

                Reaction="2"

                ProcessUserName="NT AUTHORITY\SYSTEM"

                Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

                IncidentTime="2014-04-24 08:44:33"

                AllowEx="True"

                SigRuleClass="Program"

                ProcessId="956"

                Session="0"

                SigRuleDirective="open_with_any"/>

                <Params>

                  <Param name="Workstation Name" allowex="True">xxx</Param>

                  <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                  <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                  <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

                  <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

                  <Param name="Target File Name" allowex="False">IEXPLORE.EXE</Param>

                  <Param name="Target Path" allowex="False">C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE</Param>

                  <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

                  <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

                  <Param name="Target Description" allowex="False">INTERNET EXPLORER</Param>

                  <Param name="Target Fingerprint" allowex="False">c613e69c3b191bb02c7a191741a1d024</Param>

                </Params>

              </Event>

               

              Message was edited by: shakira on 4/24/14 7:49:12 AM CDT

               

              Message was edited by: shakira on 4/24/14 7:50:32 AM CDT