Jump to content

Forgot How To Do This


Recommended Posts

  • Administrators

Do you mean a key under HKCU or under some other hive? If HKCU, you must use a path pointing to the appropriate key under HKU.

Link to comment
Share on other sites

13 hours ago, Marcos said:

Do you mean a key under HKCU or under some other hive? If HKCU, you must use a path pointing to the appropriate key under HKU.

I am attempting to create a rule to block modification of RunAsPPL per the below screen shot. I have tried every option; e.g. \*\RunAsPPL ,etc. and nothing seems to work:

Eset_HIPS.thumb.png.3814c3a7efdb24517172b6d96c1a291c.png

 

Link to comment
Share on other sites

I should also add my PC has a BIOS and not a UEFI.

On UEFI based systems, Win 8.1+ stores a copy of Lsa RunAsPPL setting in the UEFI and blocks any modification of corresponding registry setting. Such is not the case for BIOS based systems.

Quote

On x86-based or x64-based devices using Secure Boot and UEFI or not

On x86-based or x64-based devices that use Secure Boot or UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset.

x86-based or x64-based devices that do not support UEFI or Secure Boot are disabled, cannot store the configuration for LSA protection in the firmware, and rely solely on the presence of the registry key. In this scenario, it is possible to disable LSA protection by using remote access to the device.

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

I am wondering if the HIPS has some internal rules in regards to this setting and is in effect, ignoring any user based created rule for it?

Link to comment
Share on other sites

Ok. Got it to work using ControlSet001. Thanks for the reply.

What was strange is that this didn't work initially. But by "playing with" subsequent modification attempts, the rule finally "kicked in" and is now detecting either ControlSet001 or ControlSet section RunAsPPL modification attempts. Could HIPS Smart mode be the reason for this strange initial detection behavior?

Edited by itman
Link to comment
Share on other sites

44 minutes ago, Marcos said:

Smart mode just asks when certain registry values are modified. It doesn't affect other custom HIPS rules.

I found out what the issue is in regards to reg. key value settings. It's flaky to say the least.

You have to use the registry editor option presented in the HIPS rule creation process to copy the key name and paste it into the HIPS rule. Then strip off the leading "Computer\" prefix from the key name. Finally add to the key name the value name you wish to monitor. Copying the key name any other way and pasting it into the rule doesn't work; the rule won't detect any value name modification activities.

I just verified the above with another ControlSet001 value that I had previously created and wasn't detecting any modification activities.

 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...