0 Replies Latest reply on Oct 21, 2014 9:11 AM by dmease729

    6010 (Generic Application Hooking Protection) example - svchost.exe and dllhost.exe

    dmease729

      Hi,

       

      This post is for information only, although comments and feedback are welcome.  I will be cross referencing this post in future posts that related to the operational aspect of HIPS.

       

      Enabling signature 6010 and mapping to a severity with an action of at least log, the events below are seen in the HipShield.log file on the protected endpoint.  There is no explicit action carried out to create these events, so they look to be 'happening in the background', and there doesnt appear to be any pattern to them.  An example event is listed, followed by a list of recent times the event has been seen in the HipShield.log file on the protected endpoint.

       

      From the events, an exception was created using the menu options available (Actions | New Exception (Host IPS 8.0))

       

      HIPSHIELD.LOG:

       

      k10-21 13:44:07.941 Alert: 0x4,700 Log event matching sig 6010

      10-21 13:44:10 [02504] VIOLATION: [1] ------- Violation  Logged ---- Size 1512 ----

      <Event> <!-- Level=Med, Reaction=Log -->

        <EventData

        SignatureID="6010"

        SignatureName="Generic Application Hooking Protection"

        SeverityLevel="3"

        Reaction="2"

        ProcessUserName="Win7host\Win7"

        Process="C:\WINDOWS\SYSTEM32\SVCHOST.EXE"

        IncidentTime="2014-10-21 13:44:08"

        AllowEx="True"

        SigRuleClass="Program"

        ProcessId="708"

        Session="1"

        SigRuleDirective="open_with_create_thread"/>

        <Params>

          <Param name="Workstation Name" allowex="True">WIN7HOST</Param>

          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Executable Description" allowex="False">HOST PROCESS FOR WINDOWS SERVICES</Param>

          <Param name="Executable Fingerprint" allowex="False">54a47f6b5e09a77e61649109c6a08866</Param>

          <Param name="Target File Name" allowex="False">DLLHOST.EXE</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\DLLHOST.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,

      C=US</Param>

          <Param name="Target Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Target Description" allowex="False">COM SURROGATE</Param>

          <Param name="Target Fingerprint" allowex="False">a63dc5c2ea944e6657203e0c8edeaf61</Param>

        </Params>

      </Event>

       

      Similar events also seen at:

       

      13:40:24

      13:32:31

      13:30:00

      13:29:26

      12:32:37

      11:59:49

      11:53:31

      11:52:59

      11:51:37

      11:51:19

      11:31:53

      11:31:00

      11:28:37

      11:28:21

      11:27:48

      11:27:11

      11:27:06

      11:26:33

      11:25:26

      11:25:14

      11:16:40

      11:01:18

      11:00:58

      10:59:35

      10:59:15

      10:58:53

      10:49:07

      10:43:12

      10:22:15

       

      EXAMPLE EVENT IN EPO:

       

      01 - ePO event 1a.JPG

      01 - ePO event 1b.JPG

       

       

      EXCEPTIONS CREATED USING ACTIONS | NEW EXCEPTION:

       

      02 - exception.JPG