cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rdasso
Level 9
Report Inappropriate Content
Message 1 of 12
‎12-11-2018 09:49 AM

Undocumented AAC Expert Rule Options

Jump to solution

There's another post that found an undocumented MATCH_type... if you find other undocumented MATCH_types, please post them so everyone can benefit. 

EXP_USER_NAME - Matches the user name... doesn't seem to check the domain. Works for PROCESS Object_Type_Values. Example: Match PROCESS { Include EXP_USER_NAME { -v "admin" } }

Syntax for FILE_PROPERTIES does not require -v... it's simply Target { Match FILE { Include FILE_PROPERTIES 0x2 } }

Tags (1)
Reply
1 Solution

Accepted Solutions
jess_arman
Employee
Employee
Report Inappropriate Content
Message 4 of 12
‎12-13-2018 06:35 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Reply
11 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 12
‎12-12-2018 12:41 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

Hi @rdasso

Just to add, some of the options including FILE_PROPERTIES are documented here:

https://kc.mcafee.com/corporate/index?page=content&id=PD27227 

- or in the latest product guide (Chapter 9): 

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/...

0 Kudos
Reply
rdasso
Level 9
Report Inappropriate Content
Message 3 of 12
‎12-12-2018 07:56 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

Yes, the various Match_types are listed there... but there's no example on how to actually use them in a rule. The syntax for FILE_PROPERTIES is not the same as examples given for other Match_types (like OBJECT_NAME). This is a major problem with the documentation. 

0 Kudos
Reply
jess_arman
Employee
Employee
Report Inappropriate Content
Message 4 of 12
‎12-13-2018 06:35 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reply
rdasso
Level 9
Report Inappropriate Content
Message 5 of 12
‎12-14-2018 09:39 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

That's good to hear! FWIW, I'm not asking for help with any particular rule in this thread... the goal is to note undocumented options.... to get them into one place. 

In the example, you gave us a good new undocumented option: Include -file_properties "FILE_NETWORK"

Do you have other file properties we can use with this? Is this different from the (half) documented FILE_PROPERTIES match type? (Include FILE_PROPERTIES 0x1) If not, what are the equivalent names (ie: NETWORK (0x1) = "FILE_NETWORK"... what does REMOVABLE (0x2) map to?)

Your example also uses the 'shortcut' syntax that is otherwise only noted for use with processor_mode, vtp_trust and access_types... do you know of any other Match_type shortcuts? For example, can we do this: Include -file_attributes "Archive"

 

 

0 Kudos
Reply
rdasso
Level 9
Report Inappropriate Content
Message 6 of 12
‎12-20-2018 03:24 PM

Re: Undocumented AAC Expert Rule Options

Jump to solution

I found another undocumented feature...

Include/Exclude AggregateMatch { } appears to be a way to group multiple Include/Exclude's. 

As an example, you could exclude notepad.exe when it is running in user mode. 

Exclude AggregateMatch {

   Include OBJECT_NAME { -v "notepad.exe }

   Include -processor_mode user

   }

 

 

 

0 Kudos
Reply
bertels
Level 9
Report Inappropriate Content
Message 7 of 12
‎01-16-2019 01:38 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

Valid file properties values are:

FILE_NETWORK

FILE_REMOVABLE

FILE_FLOPPY

FILE_CD

FILE_DFS

FILE_REDIRECTOR

0 Kudos
Reply
cn
Level 7
Report Inappropriate Content
Message 8 of 12
‎02-20-2019 10:53 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

Does EXP_USER_NAME still work?  I tried using it in an AAC Expert Process rule and it did not seem to work for me at all.  I tried it as the initiator and under the target, but whenever I use the account that should trigger it, nothing shows up.  I take it out and it works fine.  Did this get removed in 10.6 or am I simply not using it correctly?  The admin user is something like someadmin1, but when I launch any of the browser processes with the account and even never gets generated unless I remove EXP_USER_NAME from the rule.  Please help.  We are currently on 10.6.0.542 ENS and Threat Prevention 10.6.0.672.

Rule {
Process {
Include OBJECT_NAME { -v ** }
Include EXP_USER_NAME { -v "*admin*" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

OR 

 

Rule {
Process {
Include OBJECT_NAME { -v ** }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include EXP_USER_NAME { -v "*admin*" }
Include -access "CREATE"
}
}
}
0 Kudos
Reply
jess_arman
Employee
Employee
Report Inappropriate Content
Message 9 of 12
‎02-20-2019 01:41 PM

Re: Undocumented AAC Expert Rule Options

Jump to solution

@cn Try changing the variable syntax to just USER_NAME and see how it goes. 

Here's an excerpt from a previous syntax guide (PD27574) which shows the variable as that and not having the EXP_ part

Rule {
service { Include "Alerter" }
application { Include "*"}
user_name { Include "*" }
directives service:stop
}

 

user_name { Include
“*” }
Indicates that this rule is valid for all users (or more precisely, the security context in
which a process runs).
To limit the rule to specLfic user contexts, list them using the form Local/user or
Domain/user.

 

Also, when in the expert rule creation screen, if you have "use Expert Rule template" checked, and select "Illegal API use" as the type, you can see in the example template that the variable is just user_name {Include"*"}

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

0 Kudos
Reply
Daniel_S
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 12
‎05-10-2019 05:25 AM

Re: Undocumented AAC Expert Rule Options

Jump to solution

Are there any news on the cookbook so far?

Best regards
Dan
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC