www.MegaLab.it

[hashcat]

In fondo al messaggio è presente una lista di regole da utilizzare con prodotti del tipo HIPS o IDS.
Ho utilizzato come base la configurazione proattiva di Comodo aggiungendo qualcosa, cercherò di aggiornarla in futuro.

Codice: Seleziona tutto

Eseguibili:

*.exe
*.dll
*.sys
*.ocx
*.bat
*.pif
*.scr
*.cpl
*.com
*.cmd


File/Cartelle importanti:

%windir%\*
?:\boot.ini
?:\autorun.inf
?:\bootmgr
?:\boot\*
?:\ntdetect.com
?:\ntldr
?:\autoexec.bat


Applicazioni aggiornamento Windows:

%windir%\system32\msiexec.exe (Windows Installer)
%windir%\system32\wuauclt.exe (Microsoft Windows Update)


Applicazioni di sistema:

System
%windir%\system32\svchost.exe
%windir%\system32\services.exe
%windir%\system32\smss.exe
%windir%\system32\csrss.exe
%windir%\system32\winlogon.exe
%windir%\system32\spoolsv.exe
%windir%\system32\lsass.exe
%windir%\system32\wbem\WMIAdap.exe
%windir%\system32\wbem\WMIPrvSE.exe
%windir%\system32\VSSVC.exe (Solo W. Vista o 7)
%windir%\system32\consent.exe (Solo W. Vista o 7)
%windir%\system32\SearchIndexer.exe (Solo W. Vista o 7)
%windir%\system32\SearchProtocolHost.exe (Solo W. Vista o 7)
%windir%\system32\dwm.exe (Solo W. Vista o 7)

File temporanei:

%temp%\*
?:\$Recycle.Bin\* (Solo W. Vista o 7)
%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*


Cartelle di avvio:

C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*


Driver / Dispositivi da proteggere:

\Device\KsecDD (Random / Cryptographic bytes generator)
\Device\NamedPipe\atsvc (Task Skeduler related) (http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_scheduler.html)
\Device\Harddisk
\Device\PhysicalMemory (PhysicalMemory access)
\Device\NamedPipe\ntsvcs
\Device\NamedPipe\ROUTER (Routing serv. / Remote access related)
\Device\NamedPipe\Win32Pipes (??)
\Device\NamedPipe\jp (??)


Driver protocollo terze parti:

\Device\NPF_* (Winpcap related)
\Device\Ndisuio (NDIS network-card related)
\Device\NdisTapi (NDIS netowrk driver)
\Device\Global\Ndisuio (Same as before)
\Device\Global\NdisTapi (Same as before)
\Device\Global\NPF_* (Same as before)
\Device\NamedPipe\Adobe LM Service (Adobe service to verify pirated copies)
\Device\NamedPipe\pgpserv (PGP disk encryption service)


Interfaccia Windows Sockets:

\Device\Afd\Endpoint (Internet access *trough print spooler service*)
\Device\Nsi (Internet access *trough print spooler service*)


Avvio automatico (registro sistema):

*\Software\Policies\Microsoft\Windows\System\Scripts\*
*\Software\Microsoft\Windows CE Services\AutoStart*
*\Software\Microsoft\Rpc\*
*\Software\Microsoft\netsh\*
*\Software\Microsoft\SideShow\Gadgets\*
*\Software\Microsoft\SystemCertificates\*
*\Software\Microsoft\Windows\CurrentVersion\Run*
*\Software\Microsoft\Windows\CurrentVersion\Load
*\Software\Microsoft\Windows\CurrentVersion\BITS\*
*\Software\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin\*
*\Software\Microsoft\Windows NT\CurrentVersion\Authentication*
*\Software\Microsoft\Windows NT\CurrentVersion\Windows*
*\Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger
*\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\NonWindowsApp\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\standard\*
*\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\*
*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\*
*\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\*
*\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\*
*\Software\Microsoft\Command Processor\AutoRun
*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
*\Software\Microsoft\Windows NT\CurrentVersion\Accessibility*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*\Shell\*\command\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Startup
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Startup
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.???\*
*\Software\Microsoft\Windows NT\CurrentVersion\Drivers\*
*\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\*
*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
*\SOFTWARE\Microsoft\VBA\Monitors\*\CLSID
*\Software\Microsoft\Active Setup\Installed Components\*\StubPath
*\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\*
*\SOFTWARE\Microsoft\Internet Explorer\Help_Menu_URLs\*


Internet Explorer (registro sistema):

*\SOFTWARE\Clients\StartMenuInternet\*
*\SOFTWARE\Microsoft\Internet Domains\*
*\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\*
*\SOFTWARE\Microsoft\Internet Explorer\Extensions\*
*\SOFTWARE\Microsoft\Internet Explorer\Styles\Stylesheet
*\SOFTWARE\Microsoft\Internet Explorer\Styles\Use My Stylesheet
*\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet
*\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\*
*\SOFTWARE\Microsoft\Internet Explorer\SearchURL\*
*\SOFTWARE\Microsoft\Internet Explorer\Control Panel\*
*\SOFTWARE\Microsoft\Internet Explorer\Download\*
*\SOFTWARE\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions
*\SOFTWARE\Microsoft\Internet Explorer\ShellBrowser\*
*\SOFTWARE\Microsoft\Internet Explorer\WebBrowser\*
*\SOFTWARE\Microsoft\Internet Explorer\MenuExt\*
*\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{*}
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\Wallpaper
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\*
*\SOFTWARE\Microsoft\Internet Explorer\PLUGINS\EXTENSION\*\location
*\SOFTWARE\Microsoft\Internet Explorer\Main\*Start Page*
*\SOFTWARE\Microsoft\Internet Explorer\Main\Search*
*\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
*\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
*\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page
*\SOFTWARE\Microsoft\Internet Explorer\Main\HOMEOldSP
*\SOFTWARE\Microsoft\Internet Explorer\Main\Use Custom Search URL
*\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
*\Software\Microsoft\Internet Explorer\Search\SearchAssistant
*\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MinLevel
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Safety Warning Level
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Trust Warning Level
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Security_RunActiveXControls
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Security_RunScripts
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths\Cookies\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\User Agent\*


Chiavi importanti (registro sistema):

HKLM\SYSTEM\ControlSet???\Services\*
HKLM\SYSTEM\ControlSet???\Control\*
HKLM\SYSTEM\ControlSet???\Class\*
*\SYSTEM\ControlSet???\Enum\ROOT\LEGACY_*\CSConfigFlags
*\SOFTWARE\Microsoft\Driver Signing\Policy
*\SOFTWARE\Classes\Filter*
*\SOFTWARE\Classes\*\shell*
*\SOFTWARE\Classes\*\DefaultIcon*
*\SOFTWARE\Classes\.*\*
*\SOFTWARE\Classes\AutoProxyTypes*
*\SOFTWARE\Classes\PROTOCOLS\Filter\*
*\SOFTWARE\Classes\PROTOCOLS\Handler\*
*\SOFTWARE\Classes\CLSID*
*\SOFTWARE\Classes\AppID*
*\SOFTWARE\Classes\LocalSettings\*
*\SOFTWARE\Microsoft\Security Center\*
*\SOFTWARE\Microsoft\Code Store Database\Distribution Units\*
*\SOFTWARE\Microsoft\Ctf\LangBarAddin\*
HKUS\*\Environment*
HKUS\*\Control Panel*
*\Software\Microsoft\Windows\CurrentVersion\Control Panel\Don't Load\*
*\SOFTWARE\Policies\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths*
*\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore*


Chiavi di registro temporanee:

*\SOFTWARE\Classes\*\shell
*\SOFTWARE\Classes\*\shell\BagMRU*
*\SOFTWARE\Classes\*\shell\Bags*
*\SOFTWARE\Classes\*\shell\MuiCache*


Internet Explorer/Shell di Windows:

Shell.Explorer.*
InternetExplorer.Application.*
Outlook.Application.*
Microsoft.XMLHTTP


Pseudo interfacce COM - Privilegi:

LocalSecurityAuthority.Backup
LocalSecurityAuthority.Restore
LocalSecurityAuthority.Debug
LocalSecurityAuthority.Shutdown
LocalSecurityAuthority.SystemEnvironment
LocalSecurityAuthority.SystemTime
LocalSecurityAuthority.Tcb


Pseudo interfacce COM - Porte importanti:

*\RPC Control
*\RPC Control\wzcsvc
*\RPC Control\spoolss
*\KnownDlls\*

Queste regole sono scritte utilizzando metacaratteri (wildcard).

L'asterisco (*) corrisponde ad un carattere jolly. aba* restituisce tutti i valori che iniziano con aba (aba compreso) e che terminano in qualsiasi modo.
Il punto interrogativo (?): abac? restituiste tutti i valori che iniziano con abac e terminano con un solo carattere (anche più di uno a seconda dei punti interrogativi utilizzati) abaco - abac3

P.S.: Ho modificato leggermente la sintassi di alcune regole per aumentarne la compatibilità con più prodotti.