cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 5
‎07-31-2018 07:20 AM

Exploit Prevention Expert Rule AAC Examples

Jump to solution

Does anyone have AAC rule examples of *_TYPEs other than the ones listed in the offical documentation (https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-epolicy-orch...)?

I really appreciate how powerful these rules are but I cannot quite understand how some *_TYPEs are meant to be used and what values/flags they expect. For example, it's unclear how we're expected to use DLL_LOADED.

 

Thanks!

Labels (2)
Tags (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
Daveb3d
MVP
Report Inappropriate Content
Message 3 of 5
‎08-01-2018 11:13 AM

Re: Exploit Prevention Expert Rule AAC Examples

Jump to solution

So I was pretty far off in my rule use, as I expected.

The DLL_LOADED is actually looking at what modules are or aren't loaded in a parent process.  

Include OBJECT_NAME { -v "Process.exe }
Include DLL_LOADED -name "LoadedModuleName(without .DLL on it)" { -v 0x1 }

It would then look for the process executing content either with or without this module loaded.

Hopefully this helps..  I can see some good use cases around loading Powershell related DLLs and then performing certain activity.

Dave

 

View solution in original post

0 Kudos
Reply
4 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 5
‎07-31-2018 02:24 PM

Re: Exploit Prevention Expert Rule AAC Examples

Jump to solution

I've not done anything with DLL_LOADED, but I've used various other ones, like NT_ACCESS_MASK, DESCRIPTION, PROCESS_CMD_LINE, VTP_TRUST and others.

For example, Include NT_ACCESS_MASK { -v "0x0020" } would block the call PROCESS_VM_WRITE on the target process, which would protect against shellcode injections and most reflective injections. 

My first guess at this was something like....

Target { Match PROCESS {
Include OBJECT_NAME { -v "DLLName" }
Include DLL_LOADED { -v "1 }

}

}

So this would identify not the DLL being accessed, but the modual itself loaded.  But I don't think this will work either.  The docs call it a "name-value bitmask."  I reached out to somebody to find out.  I'll post the answer as soon as I find out.

Dave

 

 

 

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 3 of 5
‎08-01-2018 11:13 AM

Re: Exploit Prevention Expert Rule AAC Examples

Jump to solution

So I was pretty far off in my rule use, as I expected.

The DLL_LOADED is actually looking at what modules are or aren't loaded in a parent process.  

Include OBJECT_NAME { -v "Process.exe }
Include DLL_LOADED -name "LoadedModuleName(without .DLL on it)" { -v 0x1 }

It would then look for the process executing content either with or without this module loaded.

Hopefully this helps..  I can see some good use cases around loading Powershell related DLLs and then performing certain activity.

Dave

 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5
‎08-01-2018 10:29 PM

Re: Exploit Prevention Expert Rule AAC Examples

Jump to solution
Thanks David, I ended up using the SECTION type instead as I believe loading a library would also require loading a file-backed memory object.

It would be great if there was some kind of cheat sheet with Tcl snippets and how to use them. It'd also be great if we could understand the underlying kernel APIs that each type is abstracting (although perhaps this is asking for too much)
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 5
‎08-02-2018 06:29 AM

Re: Exploit Prevention Expert Rule AAC Examples

Jump to solution

Yes, for that purpose section will work as well.

I agree with your assessment.  I'll mention it to the PM.

Dave

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC