Forgot How To Do This

[itman 1,659]

@Marcos what is the format to protect a reg. key value via a HIPS rule; e.g. xxxx\Test where Test is a value setting for reg. key xxxx?

[Marcos 5,071]

Do you mean a key under HKCU or under some other hive? If HKCU, you must use a path pointing to the appropriate key under HKU.

[itman 1,659]

13 hours ago, Marcos said:

Do you mean a key under HKCU or under some other hive? If HKCU, you must use a path pointing to the appropriate key under HKU.

I am attempting to create a rule to block modification of RunAsPPL per the below screen shot. I have tried every option; e.g. \*\RunAsPPL ,etc. and nothing seems to work:

 

[itman 1,659]

I should also add my PC has a BIOS and not a UEFI.

On UEFI based systems, Win 8.1+ stores a copy of Lsa RunAsPPL setting in the UEFI and blocks any modification of corresponding registry setting. Such is not the case for BIOS based systems.

Quote

On x86-based or x64-based devices using Secure Boot and UEFI or not

On x86-based or x64-based devices that use Secure Boot or UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset.

x86-based or x64-based devices that do not support UEFI or Secure Boot are disabled, cannot store the configuration for LSA protection in the firmware, and rely solely on the presence of the registry key. In this scenario, it is possible to disable LSA protection by using remote access to the device.

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

I am wondering if the HIPS has some internal rules in regards to this setting and is in effect, ignoring any user based created rule for it?

[Marcos 5,071]

The path "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL\" worked for me:

 

[itman 1,659]

Ok. Got it to work using ControlSet001. Thanks for the reply.

What was strange is that this didn't work initially. But by "playing with" subsequent modification attempts, the rule finally "kicked in" and is now detecting either ControlSet001 or ControlSet section RunAsPPL modification attempts. Could HIPS Smart mode be the reason for this strange initial detection behavior?

Edited August 20, 2020 by itman

[Marcos 5,071]

Smart mode just asks when certain registry values are modified. It doesn't affect other custom HIPS rules.

[itman 1,659]

44 minutes ago, Marcos said:

Smart mode just asks when certain registry values are modified. It doesn't affect other custom HIPS rules.

I found out what the issue is in regards to reg. key value settings. It's flaky to say the least.

You have to use the registry editor option presented in the HIPS rule creation process to copy the key name and paste it into the HIPS rule. Then strip off the leading "Computer\" prefix from the key name. Finally add to the key name the value name you wish to monitor. Copying the key name any other way and pasting it into the rule doesn't work; the rule won't detect any value name modification activities.

I just verified the above with another ControlSet001 value that I had previously created and wasn't detecting any modification activities.