0 Replies Latest reply on Oct 21, 2014 10:01 AM by dmease729

    6010 (Generic Application Hooking Protection) example - multiple processes

    dmease729

      Hi,

       

      This post is for information only, although comments and feedback are welcome.  I will be cross referencing this post in future posts that related to the operational aspect of HIPS.  This post is related to posts 74385 and 74382.

       

      Enabling signature 6010 and mapping to a severity with an action of at least log, the events below are seen in the HipShield.log file on the protected endpoint.  There was no explicit action (at least to my knowledge) carried out to create these events, so they look to be 'happening in the background'.  Only specific fields are listed, and will be noted in a future post looking at the operational aspects.

       

      Elements that were the same across all events:

       

        SignatureID="6010"

        SignatureName="Generic Application Hooking Protection"

        SigRuleDirective="open_with_create_thread"/>

       

      Further event details:

       

        Process="C:\WINDOWS\SYSTEM32\SDIAGNHOST.EXE"

        IncidentTime="2014-10-21 13:29:39"

          <Param name="Executable Description" allowex="False">SCRIPTED DIAGNOSTICS NATIVE HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\PING.EXE</Param>

          <Param name="Target Description" allowex="False">TCP/IP PING COMMAND</Param>

       

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 13:29:39"

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\PING.EXE</Param>

          <Param name="Target Description" allowex="False">TCP/IP PING COMMAND</Param>

       

        Process="C:\WINDOWS\SYSTEM32\SDIAGNHOST.EXE"

        IncidentTime="2014-10-21 13:29:39"

          <Param name="Executable Description" allowex="False">SCRIPTED DIAGNOSTICS NATIVE HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\PING.EXE</Param>

          <Param name="Target Description" allowex="False">TCP/IP PING COMMAND</Param>

       

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 13:29:39"

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\W32TM.EXE</Param>

          <Param name="Target Description" allowex="False">WINDOWS TIME SERVICE DIAGNOSTIC TOOL</Param>

       

        Process="C:\WINDOWS\SYSTEM32\SDIAGNHOST.EXE"

        IncidentTime="2014-10-21 13:29:38"

          <Param name="Executable Description" allowex="False">SCRIPTED DIAGNOSTICS NATIVE HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\W32TM.EXE</Param>

          <Param name="Target Description" allowex="False">WINDOWS TIME SERVICE DIAGNOSTIC TOOL</Param>

       

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 13:29:33"

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CVTRES.EXE</Param >

          <Param name="Target Description" allowex="False">MICROSOFT® RESOURCE FILE TO COFF OBJECT CONVERSION UTILITY</Param>

       

        Process="C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE"

        IncidentTime="2014-10-21 13:29:33"

          <Param name="Executable Description" allowex="False">VISUAL C# COMMAND LINE COMPILER</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CVTRES.EXE</Param >

          <Param name="Target Description" allowex="False">MICROSOFT® RESOURCE FILE TO COFF OBJECT CONVERSION UTILITY</Param>

       

        Process="C:\WINDOWS\SYSTEM32\CONHOST.EXE"

        IncidentTime="2014-10-21 13:29:33"

          <Param name="Executable Description" allowex="False">CONSOLE WINDOW HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE</Param>

          <Param name="Target Description" allowex="False">VISUAL C# COMMAND LINE COMPILER</Param>

       

        Process="C:\WINDOWS\SYSTEM32\SDIAGNHOST.EXE"

        IncidentTime="2014-10-21 13:29:33"

          <Param name="Executable Description" allowex="False">SCRIPTED DIAGNOSTICS NATIVE HOST</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE</Param>

          <Param name="Target Description" allowex="False">VISUAL C# COMMAND LINE COMPILER</Param>

       

      13:29:33, CONHOST.EXE, CVTRES.EXE

      13:29:33, CSC.EXE, CVTRES.EXE

      13:29:32, CONHOST.EXE, CSC.EXE

      13:29:32, SDIAGNHOST.EXE, CSC.EXE

      13:29:30, CONHOST.EXE, CVTRES.EXE

      13:29:30, CSC.EXE, CVTRES.EXE

      13:29:30, CONHOST.EXE, CSC.EXE

      13:29:30, SDIAGNHOST.EXE, CSC.EXE

       

      Seemed to start with:

       

      12:36:46, SVCHOST.EXE, RUNDLL32.EXE

      13:28:54, SVCHOST.EXE, MOBSYNC.EXE

       

      and finished shortly after 13:29.