Jump to content

Recommended Posts

Eset in its online HIPS documentation states it can monitor registry key additions. Problem is I have tried repeated to create a rule to do so and it does work.

For example, a HIPS rule monitoring all registry changes for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* doesn't stop a new registry key from being created there.

Link to post
Share on other sites
2 hours ago, Marcos said:

Creation of a registry key does not pose any risk.

You're kidding here I hope.

Here's a nasty one - Snatch ransomware:

Quote

The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.

sbmsvc.png

The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running.

The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot.


HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service

 

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
Edited by itman
Link to post
Share on other sites
20 minutes ago, Marcos said:

It's not a problem, you can block writing there by creating a block rule for

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\*

I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only.  That is not acceptable. I should be able to monitor write activity in any registry area I desire.

Link to post
Share on other sites
  • Administrators
1 minute ago, itman said:

I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only.  That is not acceptable. I should be able to monitor write activity in any registry area I desire.

No, quite the contrary. I created a custom HIPS rule in the registry path that you referred to by the linked article.

Link to post
Share on other sites
2 minutes ago, Marcos said:

No, quite the contrary. I created a custom HIPS rule in the registry path that you were referring to by the linked article.

Then why doesn't write activity detection in this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* , work?

Edited by itman
Link to post
Share on other sites
35 minutes ago, Marcos said:

I was unable to create / import values to that key:

Correct and I do apologize. It works for example using import; i.e. regedit.exe, via opening a .reg file

Where I screwed up and can see others doing the same is I added a key named "Test" via regedit interactively,  Eset HIPS  allowed it. Of course if you try to rename the key, Eset will detect that. Since I allowed the rename, any other subsequent activity that uses regedit, such as opening a .reg file against that key, will be allowed for current session.

Edited by itman
Link to post
Share on other sites

@Marcoswhat I would like to see added to HIPS rule options is an add/write registry option. As it now stands, the only way this activity can be monitoring is to select "All registry operations." There are instances where I want to just monitor registry add/write activity.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...