0 Replies Latest reply on Oct 21, 2014 8:23 AM by dmease729

    6010 (Generic Application Hooking Protection) example using CMD and NETSTAT

    dmease729

      Hi,

       

      This post is for information only, although comments and feedback are welcome.  I will be cross referencing this post in future posts that related to the operational aspect of HIPS. Enabling signature 6010 (default = disabled) and mapping to a severity with an action of at least log, the events below are seen in the HipShield.log file on the protected endpoint.  Following these events, the event as shown in ePO is also displayed. To create the events, the following actions were taken:

       

      11:55 - cmd.exe opened (Windows menu, cmd, then enter)

      11:56 - netstat -aon ran from command prompt

      11:57 - command prompt closed using exit command

       

      From the events, an exception was created using the menu options available (Actions | New Exception (Host IPS 8.0))

       

      HIPSHIELD.LOG:


      k10-21 11:55:04.135 Alert: 0x4,4dc Log event matching sig 6010

      10-21 11:55:07 [02504] VIOLATION: [1] ------- Violation  Logged ---- Size 1502 ----

      <Event> <!-- Level=Med, Reaction=Log -->

        <EventData

        SignatureID="6010"

        SignatureName="Generic Application Hooking Protection"

        SeverityLevel="3"

        Reaction="2"

        ProcessUserName="Win7host\Win7"

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 11:55:04"

        AllowEx="True"

        SigRuleClass="Program"

        ProcessId="904"

        Session="1"

        SigRuleDirective="open_with_create_thread"/>

        <Params>

          <Param name="Workstation Name" allowex="True">WIN7HOST</Param>

          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

          <Param name="Target File Name" allowex="False">CMD.EXE</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\CMD.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Target Description" allowex="False">WINDOWS COMMAND PROCESSOR</Param>

          <Param name="Target Fingerprint" allowex="False">ad7b9c14083b52bc532fba5948342b98</Param>

        </Params>

      </Event>

       

      k10-21 11:56:16.026 Alert: 0x4,4dc Log event matching sig 6010

      10-21 11:56:17 [02504] VIOLATION: [1] ------- Violation  Logged ---- Size 1507 ----

      <Event> <!-- Level=Med, Reaction=Log -->

        <EventData

        SignatureID="6010"

        SignatureName="Generic Application Hooking Protection"

        SeverityLevel="3"

        Reaction="2"

        ProcessUserName="Win7host\Win7"

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 11:56:16"

        AllowEx="True"

        SigRuleClass="Program"

        ProcessId="904"

        Session="1"

        SigRuleDirective="open_with_create_thread"/>

        <Params>

          <Param name="Workstation Name" allowex="True">WIN7HOST</Param>

          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Executable Fingerprint" allowex="False">156f20e7a89573c2fd7cbc305dfc181f</Param>

          <Param name="Target File Name" allowex="False">NETSTAT.EXE</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\NETSTAT.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Target Description" allowex="False">TCP/IP NETSTAT COMMAND</Param>

          <Param name="Target Fingerprint" allowex="False">32297bb17e6ec700d0fc869f9acaf561</Param>

        </Params>

      </Event>

       

       

      EVENTS IN EPO:


      01 - Events.JPG

      02 - ePO event 1a.JPG

      02 - ePO event 1b.JPG

      03 - event 2a.JPG

      03 - event 2b.JPG

       

      EXCEPTIONS CREATED USING ACTIONS | NEW EXCEPTION:


      04 - exceptions summary.JPG

      05 - exception 1.JPG

      06 - exception 2.JPG