Jump to content

Recommended Posts

For a very long time, I have been trying to create a registry HIPS rule to monitor creation of new services. I originally created this rule for example:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\*\

 

However, the HIPS would ignore the "\" following the "*" and alert at all levels subordinate to services. After much experimenting, I found that the following will accomplish alerting for only the first level subordinate to services: 

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\*\\

 

So Eset should update there documentation to include this fact.

 

Next through testing, I found that the HIPS will not block any new key creation but any new value keys subordinate to the new key. I verified this by running in interactive mode. For example, the HIPS allows the following key to be created:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice

 

but will alert on the creation of;

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice\some dword field value; and only for xyzservice. If I create a new key subordinate to xyzservice, the HIPS will not alert for any new field values created for that key!

 

So I am still at wits end on how to block key creation with this HIPS immediately subordinate to services?

 

-EDIT-

 

I did one last test. This coding:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\\

 

will alert on renaming or deletion of HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice key. However, it will not alert on its creation. So as far as I am concerned, this is a bug.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...