5 Replies Latest reply on May 12, 2015 12:06 PM by c14us

    How to return data from a RegKey? Hips Custom signature

    c14us

      Hi

       

      I've made some simple rules to log who makes some specific Run and RunOnce RegKeys, and they are are very handy (when exceptions are in place).

       

      But I would really also like to log what the content is in the newly created Key.

       

      Do anyone have an idea, how this data is returned?

       

        

       

        

       

        

       

      Rule {

       

      tag "RunOnce"

       

      Class Registry

       

      Id -1

       

      level 3

       

      values { Include "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\&" "\\REGISTRY\\CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnc e\\&" }

       

      directives registry:create

       

      }

        • 1. Re: How to return data from a RegKey? Hips Custom signature
          NMaurMcAfee

          Doesn't this already work, the value is "New Data"

          • 2. Re: How to return data from a RegKey? Hips Custom signature
            c14us

            Ahhh forgot the New Data was in the unformated, unfreindly and report-vice frustrating unusable Hexdecimal.

             

            Presume there are no way to configure a HIPS alarm, that can convert the hex value to a human friendly text.

            • 3. Re: How to return data from a RegKey? Hips Custom signature
              NMaurMcAfee

              Yup, not sure why they don't convert it automatically rather than displaying the non translated version. BTW doesn't look like you can create hips alarms at the moment anyway (KB77567)

              • 4. Re: How to return data from a RegKey? Hips Custom signature
                shakira

                We came to the conclusion that the data inside reg keys is UTF16. Sometimes it translates out to ascii well, and sometimes it doesn't. I just depends on what the value is using the data inside it for.

                 

                Here is the logic we use in a python script to auto translate the utf16:

                 

                if len(hipshex) % 2:
                hipshex = hipshex[:-1]

                    return hipshex.decode('hex').replace('\x00', '')

                 

                The steps are:

                1. Check if the data is even/not cut off early

                2. If it is uneven, throw out the last byte (this avoids errors when decoding takes place)

                3. Replace null bytes with a blank ascii symbol (remove padding so it doesn't end up translating to something like "H e l l o  w o r l d".

                4. Finally, decode any other bytes leftover into ascii assuming the base data was hex.

                 

                Looking it over now, a decode('utf16') might have done the job easier.

                 

                If you just want a quick way to see what the hips New Data translates to in ascii, use this page: https://www.branah.com/ascii-converter

                 

                 

                 

                If you want to create a rule that can alert based off of the data inside a registry value, you can use a rule like this:

                 

                Rule {

                tag "Javascript found in registry value's data"

                Class Registry

                Id 4139

                level 3

                values { Include "*" }

                new_data { Include "*6a00610076006100730063007200690070007400*" }

                directives registry:modify registry:create

                 

                Translate "6a00610076006100730063007200690070007400" via https://www.branah.com/ascii-converter and you'll see that it equals "j a v a s c r i p t". It's very important to leave the null bytes in the rule as that's what HIPS is looking for. The easier way to determine what the value should be is to make a rule watching you creating or modifying a specific registry value and noticed the hips New Data that is reported in the event.

                 

                Only modify and create, and possibly delete work with new_data.

                 

                Lastly, you can specify specific values to look at in the value field. Just replace the star with something like "*\Run\*".

                • 5. Re: How to return data from a RegKey? Hips Custom signature
                  c14us

                  Thank you for the pytho Script. I was using powershell.

                   

                  much appreciated