Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

Ozone

it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)

fixer



crasher

Quote from: Ozone on June 18, 2017, 12:16:57 AM
it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)

Thanks for your suggestion. We'll add this in one of the following releases.

Ozone

it is possible to add option to create temporary rules for apps with existing rules (so I don't have to revert to/change existing rules) or option to create several rules set (profile) for apps with option to choose which one would be active

also I've noticed that you can't change settings duration, would you add option to change them

fixer

It's possible to have several RDB-files for RulesManager. But it isn't currently possible to have multiple rules for the same program in ReHIPS itself. As a workaround you can allow it and create shortcut to execute it in isolation. It's also possible to set Ask in execution options, and you'll get Alert each time the program is executed, you can set Only Once not to save your choice in the database for it to ask every time.

I don't think multiple rules for the same program is a good idea, you have to prioritize them somehow, it may lead to undesired effects like you set it to block and think it's OK, but there is an allow rule with higher priority.
Adding profiles is possible. But I'm not sure if it's worth the effort. You see, we already have 3 levels in the programs tree, 4th will be added soon. Adding 5th profile level may be an overkill as I don't see an often used use-case which will be covered by this change.

Settings duration - do you mean for Working Mode? Like set Learning Mode for 30 mins?

shmu26

C:\WINDOWS\system32\igfxTray.exe
This processes comes from Intel integrated graphics
It needs permission to execute programs, so the user can open the intel graphics control panel from the system tray icon.

fixer

Thanks for your report, but that one is already set. I guess you updated from some older version, so existing rules weren't overwritten, that's why you have old value.

shmu26

That's funny -- I reinstalled Windows and then installed ReHIPS from the release version, 2.2.0.0.

fixer

Yeah, release ReHIPS 2.2.0 allows C:\Windows\system32\igfxTray.exe to execute processes. So I guess either rules are from some older version or something was manually changed.

aDVll


HJLBX

Quote from: aDVll on July 15, 2017, 10:44:44 AM
@fixer

I assume if notpetya runs isolated it doesn't have access to other processes to do the access level elevation it requires. Am i correct?

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

https://www.youtube.com/watch?v=hZKLEw-Our4

NotPetya\PetWrap uses a trusted computing base bypass of UAC with cross over to the Admin account.  If run in a SUA, it will simply encrypt files, but if the user signs out of the SUA and signs into the Admin account, then rundll32 runs with the elevated privileges needed to execute the malicious dll\PsExec and encrypt the MBR.

fixer

We haven't checked Petya and the second one (NotPetya, Netya, whatever it's called) ourselves yet.
But according to research articles I don't think it'll bypass ReHIPS.
If it's executed directly in isolation, it may encrypt just files it has write access to, that is by default basically isolated user profile folder, which is completely harmless.
If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process. But it spawns several processes like rundll32 or other interpreters that should be flagged by ReHIPS and alerted of.

HJLBX

Quote from: fixer on July 15, 2017, 01:20:47 PM

If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process.

It is a trusted computing base bypass of UAC and therefore is able to attain "run as operating system."

If you watch the video, (unless I am missing something) you will see that launching the malware in the SUA crosses over to the Admin account; the video author signs-out of the SUA, and then logs back into the Admin account - where rundll32, launched in the SUA, runs the malicious dll with elevated privileges and encrypts the MBR.

The ability to cross-over from the SUA to Admin account surprised me.  However, I've read some discussions of trusted computing base vulnerabilities to accomplish unexpected things on Windows.

Just a FYI on the NotPetya samples...

There are samples on hybrid-analysis.com.  Some are listed\labeled as .exe, but are actually .dll (check the file description notes).  I tested "PetWrap.exe" but it is actually PetWrap.dll and is launched using argument rundll32 c:\<directory>\PetWrap.dll#1 1.  There are better .exe samples for testing.

I did not test it in ReHIPS isolated environment, so apologies fixer that I have nothing helpful with regards to ReHIPS that I can report here.

fixer

UAC bypasses are possible as UAC was never designed to be a security boundary, more like simple and usable feature for admin-account users. So UAC bypass is possible, but looks like it's not a LUA account (admin account stripped to user by UAC), but a real SUA account (a simple non-admin user account). In this case my guess it either bruteforced admin password somehow or exploited PC locally to gain additional privileges as this eternal blue exploit targets a privileged Windows process. So I don't think any magic or supersecret bypass is used.

Anyway ReHIPS should alert about these new processes thus preventing it.