1 Reply Latest reply on Oct 15, 2015 1:27 PM by shakira

    Create custom rule from system events (in this case specific event ID 4688)

    c14us

      Hi

       

      Have anyone experience with reverse creating hips expert rule from MS Events?

       

      In this scenario regedit.exe is opened with UAC promt. Showing MS event ID 4688 (TokenElevationTypeLimited (3) aka access granted) and a process monitor read out at the same time.

       

      What I intend to do is log every TokenElevationTypeLimited (3) event for executables. Can anyone help?
      I presume it can be done via making a HIPS Custom rule for logging  the (FILE LOCKED WITH ONLY READERS) seen in the process monitor. It's an CreateFileMapping object (https://msdn.microsoft.com/en-us/library/aa366537(v=vs.85).aspx)

       

      It's a bit difficult to make alarm based on data from process monitor. Any help will be appriciated.
      Problems testing this scenario is. What HIPS alarms correlate to CreateFileMapping? And then.. Is there a parameter in the HIPS expert rules for detecting "FILE LOCKED WITH ONLY READERS"?

       

       

      Event log and Process Monitor log:


      MS Security Event 4688

      A new process has been created.

      Subject:
      Security ID:  PWCDK\DKCLB
      Account Name:  dkclb
      Account Domain:  PWCDK
      Logon ID:  0xa6192

      Process Information:
      New Process ID:  0x2854
      New Process Name: C:\Windows\regedit.exe
      Token Elevation Type: TokenElevationTypeLimited (3)
      Creator Process ID: 0x156c
      Process Command Line:

       

      - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      - <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4688</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>13312</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2015-09-30T10:44:01.423252000Z" />
        <EventRecordID>7535999</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="84" />
        <Channel>Security</Channel>
        <Computer>X240-PF00YDTX.dk.ema.ad.pwcinternal.com</Computer>
        <Security />
        </System>
      - <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-1779530495-94190729-1823309332-29370</Data>
        <Data Name="SubjectUserName">dkclb</Data>
        <Data Name="SubjectDomainName">PWCDK</Data>
        <Data Name="SubjectLogonId">0xa6192</Data>
        <Data Name="NewProcessId">0x2854</Data>
        <Data Name="NewProcessName">C:\Windows\regedit.exe</Data>
        <Data Name="TokenElevationType">%%1938</Data>
        <Data Name="ProcessId">0x156c</Data>
        <Data Name="CommandLine" />
        </EventData>
        </Event>

       

      Process Monitor

      12:44:01,4228198 Explorer.EXE 5484 CreateFile C:\Users\DKCLB SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
      12:44:01,4228856 Explorer.EXE 5484 QueryBasicInformationFile C:\Users\DKCLB SUCCESS CreationTime: 16-12-2014 13:46:35, LastAccessTime: 30-09-2015 12:18:03, LastWriteTime: 30-09-2015 12:18:03, ChangeTime: 30-09-2015 12:18:03, FileAttributes: D
      12:44:01,4229107 Explorer.EXE 5484 CloseFile C:\Users\DKCLB SUCCESS
      12:44:01,4230627 Explorer.EXE 5484 CreateFile C:\Windows\regedit.exe SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
      12:44:01,4235105 Explorer.EXE 5484 CreateFileMapping C:\Windows\regedit.exe FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection:
      12:44:01,4236246 Explorer.EXE 5484 CreateFileMapping C:\Windows\regedit.exe SUCCESS SyncType: SyncTypeOther
      12:44:01,4237173 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys
      12:44:01,4238006 Explorer.EXE 5484 QuerySecurityFile C:\Windows\regedit.exe SUCCESS Information: Label
      12:44:01,4238538 Explorer.EXE 5484 QueryNameInformationFile C:\Windows\regedit.exe SUCCESS Name: \Windows\regedit.exe
      12:44:01,4244939 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\ SUCCESS Desired Access: All Access
      12:44:01,4245726 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\regedit.exe NAME NOT FOUND Desired Access: All Access
      12:44:01,4246327 Explorer.EXE 5484 RegCloseKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual SUCCESS
      12:44:01,4247429 Explorer.EXE 5484 Process Create C:\WINDOWS\regedit.exe SUCCESS PID: 10324, Command line: "C:\WINDOWS\regedit.exe"

        • 1. Re: Create custom rule from system events (in this case specific event ID 4688)
          shakira

          The quick answer to your question is no, you cannot make HIPS look for the specific things you want to look at. HIPS is limited to the directives/check boxes (run, create, delete, etc), and a parameter which is usually the name of a file/directory/process/reg or value. That said, a "file - create" rule might catch "CreateFileMapping", but there will be no way to determine if it was "FILE LOCKED WITH ONLY READERS"

           

          The longer answer is that yes you can use procmon to determine what rules you can write for HIPS. You can start by filtering on everything that is a Create, Delete, Open, Write, Read access type. Those can be the basis for the directives and parameters you use to write a HIPS rule with.

           

          Good examples of rules you can make form your procmon data:

          12:44:01,4228198 Explorer.EXE 5484 CreateFile C:\Users\DKCLB SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened

          12:44:01,4230627 Explorer.EXE 5484 CreateFile C:\Windows\regedit.exe SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened

          12:44:01,4244939 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\ SUCCESS Desired Access: All Access

          12:44:01,4245726 Explorer.EXE 5484 RegOpenKey HKLM\SOFTWARE\Microsoft\AppV\Client\RunVirtual\regedit.exe NAME NOT FOUND Desired Access: All Access

          12:44:01,4247429 Explorer.EXE 5484 Process Create C:\WINDOWS\regedit.exe SUCCESS PID: 10324, Command line: "C:\WINDOWS\regedit.exe"

          Sometimes you can even get lucky and a certain directive will catch on something that doesn't totally make sense at first. For instance, the file create directive will trigger on any DLL load event. The process needs to create a handle to the DLL to do that after all, doesn't it?

           

          Practically speaking, you're going to need to find a unique event HIPS can trigger on in your procmon logs. Else you'll be reduced to watch explorer.exe running regedit as an alert. This said, you probably won't find something that is 100% true positive/high fidelity with this product.