For each of the Custom, Memory, and Registry rules there are expert versions having their own set of Operations choices.
Column Name |
Attempted Operation |
Description |
---|---|---|
Execute Operations | Execute |
Execution of a file |
Execute Operations |
Image Load |
Loading of a file (dll, ocx, etc.) into memory |
Execute Operations |
Process Create |
Creation of a new process |
Execute Operations |
Process Terminate |
Termination of a process |
Execute Operations |
Script Execute |
Execution of a script. For App Control agents to see a script execute, the appropriate script rules should be defined in the console. |
Modifying Operations |
Delete On Close |
This operation corresponds to someone opening/creating a file with the FILE_FLAG_DELETE_ON_CLOSE flag set (meaning someone intends to delete this file). Typically used for short-lived files, but also can be used by malware as an alternative way of deleting files. |
Modifying Operations |
Create New |
Creation of a new file or directory |
Modifying Operations |
Delete |
Deletion of a file |
Modifying Operations |
Mmap Write |
Write to a memory mapped file |
Modifying Operations |
Owner Change |
Change the owner of a file or directory |
Modifying Operations |
Permission Change |
Change the permissions on a file or directory |
Modifying Operations |
Rename |
Rename a file or directory |
Modifying Operations |
Write |
Write the contents of a file; unlike other rules, “write” in the Expert Rules interface does not mean any modification at all. However, operations such as modifying the length of a file are also considered writes. If you specify a rule that allows creation of new files but blocks writes to existing files, the agent will allow the process that created a new file to make modifications to that same file for a short period of time. Without this, the process that created the file could not write the initial content, and you would be left with a zero-byte file. |
Modifying Operations |
Write Delayed |
Memory mapped writes in which an application "maps" a file into memory (RAM) and writes to that memory. This content is later flushed to disk by the operating system's paging mechanism. |
Modifying Operations |
Write Intent |
This option is no longer functional in expert rules. It is scheduled to be removed from the interface in a future release. |
Basic Operations |
Cleanup |
Cleanup is the file system report that a process is done using a file; it means the file has been “closed”. This corresponds to IRP_MJ_CLEANUP; see https://msdn.microsoft.com/en-us/library/windows/hardware/ff548608(v=vs.85).aspx. In App Control, cleanup signals that a file is ready to be analyzed, and it also triggers file deletion in a “delete on close” operation. NOTE: Cleanup cannot be blocked since doing so would result in a handle leak. You can choose a reporting action, however. |
Basic Operations |
Lock File |
Lock the file that matches the rule. |
Basic Operations |
Mmap Read |
Read a memory mapped file. |
Basic Operations |
Open |
File open action. |
Basic Operations |
Open Execute Intent |
A file handle was acquired with the intent to execute, but execution has not happened yet. |
Basic Operations |
Read |
Read the contents of a file. |
Column Name |
Attempted Operation |
Description |
---|---|---|
Basic Operations |
Access Kernel Memory |
Rules can use this operation to close a bypass on XP and 2003 systems that prevents usermode processes from opening \Device\PhysicalMemory, which effectively allows them to read kernel memory. Windows versions from Vista forward prevent this action on their own. |
Basic Operations |
Allocate Memory |
Corresponds to the VirtualAlloc system call, which is invoked when an application wants to obtain a block of memory with specific permissions. |
Basic Operations |
Debug Process |
Corresponds to OB_OPERATION_PROCESS_PTRACE, which is invoked if there is an attempt to enable ptrace logging on another application. |
Basic Operations |
Kill Process |
Corresponds to OB_OPERATION_PROCESS_KILL, which is used to signify that someone opened a handle to another process/thread and attempted to terminate it. |
Process/Thread Operations |
Create Handle |
This operation occurs if there is an attempt to open a new handle to a process/thread. Rules can be used to strip or report the permissions on the handle to limit what the source process can do on the target object. The permissions available here are the same as those documented for non-expert memory rules in Table: Permissions Menu Options . |
Process/Thread Operations |
Duplicate Handle |
This operation occurs if there is an attempt to duplicate a handle that is already open. Rules can strip or report the permissions on the new handle to limit what the process can do with the duplicate handle. |
Column Name |
Attempted Operation |
Description |
---|---|---|
Key Operations |
Create Key |
Creation of a registry key |
Key Operations |
Rename Key |
Not implemented. Do not use. Rename is a delete operation plus a create operation. If you want to block or report renaming of keys, you can take the action on either of those operations. |
Key Operations |
Delete Key |
Deletion of a registry key |
Key Operations |
Set Security |
SetSecurity is invoked when someone tries to change the permissions on a given registry key/value. |
Key Operations |
Open Key with Write Access |
Open a registry key with write access. |
Value Operations |
Change Value |
Change value is invoked when there is an attempt to modify a registry value. The target name of the operation is the full path to the registry value (e.g. HKLM\key\value). |
Value Operations |
Delete Value |
Delete value is invoked when there is an attempt to delete a registry value. The target name of the operation is the full path to the registry value (e.g. HKLM\key\value). |