This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exploit Prevention Events Action

Hello Good Day to All.

I have query regarding Exploit Prevention Events, where can i see or what actions done on the detected exploit in my Exploit Prevention Events Viewer?



This thread was automatically locked due to age.
Parents
  • Hello vmacuanajr,

    details can be found using View Computer Details (right-click on a computer), some detections also result in a entry in Resolve Alerts and Errors ... (can be used with multiple computers selected).

    Christian

  • Hello Christian,

    I view one computer details noticed that exploit was detected on wmplayer.exe what actions done by Sophos on this type of threat?   

     

    Thanks,

    vsmacuanajr

  • Hello vsmacuanajr,

    sorry, apparently there isn't more information in the console (I don't yet have an additional EXP license so it was merely a guess and I should have said so).
    Seems it just logs to the Windows Event Log, dunno if the action is recorded though. I assume it terminated the process.

    Christian

  • No, an action isn't being logged in Windows event log.

     

    Here is example from event log of a ROP mitigation event.

     

    Mitigation   ROP

    Platform     10.0.14393/x64 v583 06_4e
    PID          13840
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11

    Callee Type  AllocateVirtualMemory
                 0x1653C000 (4096 bytes)

    Branch Trace                      Opcode  To                              
    -------------------------------- -------- --------------------------------
    0x57981802 mscorwks.dll              RET  0x57982511 mscorwks.dll ^008B   

    0x57982479 mscorwks.dll              RET  0x57982579 mscorwks.dll ^00ED   

    0x57990126 mscorwks.dll              RET  0x579901D9 mscorwks.dll ^0003   

    0x579901A9 mscorwks.dll              RET  0x579901CC mscorwks.dll ^0006   

    0x57990113 mscorwks.dll              RET  0x579901BD mscorwks.dll ^000A   

    0x57990074 mscorwks.dll              RET  0x57990159 mscorwks.dll ^0001   

    0x579900A7 mscorwks.dll              RET  0x57990073 mscorwks.dll ^0001   

    0x57990083 mscorwks.dll              RET  0x579900A6 mscorwks.dll ^0001   

    0x57984BAF mscorwks.dll              RET  0x57990082 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x57984BAF mscorwks.dll ^0004   

    0x57984C21 mscorwks.dll              RET  0x57984C0E mscorwks.dll ^0004   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984C08 mscorwks.dll ^0002   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984BFB mscorwks.dll ^0002   

    RtlTryEnterCriticalSection +0x2c     RET  0x57984BED mscorwks.dll ^0033   
    0x77ABC8DC ntdll.dll                                                      

    0x57984C34 mscorwks.dll              RET  0x57984C3A mscorwks.dll ^0001   

    0x579843D7 mscorwks.dll              RET  0x57984C34 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x579843D7 mscorwks.dll ^0009   

    0x5798438E mscorwks.dll              RET  0x579843D2 mscorwks.dll ^0338   

    MsgWaitForMultipleObjects +0x77    ~ RET* 0x0010B7ED iexplore.exe ^0002   
    0x74678EE7 user32.dll                                                     

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x74 ^0057
    0x7468D3B7 user32.dll                     0x74678EE4 user32.dll           

    MsgWaitForMultipleObjects +0x1fc   ~ RET  MsgWaitForMultipleObjects +0x68 ^0002
    0x7467906C user32.dll                     0x74678ED8 user32.dll           

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x1f9 ^014C
    0x7468D3B7 user32.dll                     0x74679069 user32.dll           

    NtUserCallNoParam +0xc             ~ RET  MsgWaitForMultipleObjects +0x1d5 ^00E9
    0x745824DC win32u.dll                     0x74679045 user32.dll           

    Wow64SystemServiceEx +0x257        ~ RET  TurboDispatchJumpAddressEnd +0xb ^0003
    0x68946FA7 wow64.dll                      0x68931CF7 wow64cpu.dll         

    0x68957A54 wow64.dll                 RET  Wow64SystemServiceEx +0x244 ^01C7
                                              0x68946F94 wow64.dll            

    0x689A84E0 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155 ^00F9
                                              0x68946EA5 wow64.dll            

    0x689AF674 wow64win.dll            ~ RET  0x689A84DB wow64win.dll ^0152   

    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  772D3791 KernelBase.dll           VirtualAlloc +0x41

    2  57982533 mscorwks.dll            
                8bf0                     MOV          ESI, EAX
                85f6                     TEST         ESI, ESI
                7416                     JZ           0x5798254f
                66f745100010             TEST         WORD [EBP+0x10], 0x1000
                740e                     JZ           0x5798254f
                8b0d7022ee57             MOV          ECX, [0x57ee2270]
                85c9                     TEST         ECX, ECX
                0f85e0162700             JNZ          0x57bf3c2f
                8bc6                     MOV          EAX, ESI
                e866f2ffff               CALL         0x579817bc
                c21000                   RET          0x10

    3  5798256D mscorwks.dll            
    4  5798258B mscorwks.dll            
    5  57999145 mscorwks.dll            
    6  5799953E mscorwks.dll            
    7  57990214 mscorwks.dll            
    8  5799016A mscorwks.dll            
    9  579B5648 mscorwks.dll            
    10 579B5736 mscorwks.dll            

    Process Trace
    1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
    2  C:\Program Files\Internet Explorer\iexplore.exe [9968]
    3  C:\Windows\explorer.exe [7276]
    4  C:\Windows\System32\userinit.exe [6188]
    5  C:\Windows\System32\winlogon.exe [932]
    winlogon.exe

    Thumbprint
    284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908

Reply
  • No, an action isn't being logged in Windows event log.

     

    Here is example from event log of a ROP mitigation event.

     

    Mitigation   ROP

    Platform     10.0.14393/x64 v583 06_4e
    PID          13840
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11

    Callee Type  AllocateVirtualMemory
                 0x1653C000 (4096 bytes)

    Branch Trace                      Opcode  To                              
    -------------------------------- -------- --------------------------------
    0x57981802 mscorwks.dll              RET  0x57982511 mscorwks.dll ^008B   

    0x57982479 mscorwks.dll              RET  0x57982579 mscorwks.dll ^00ED   

    0x57990126 mscorwks.dll              RET  0x579901D9 mscorwks.dll ^0003   

    0x579901A9 mscorwks.dll              RET  0x579901CC mscorwks.dll ^0006   

    0x57990113 mscorwks.dll              RET  0x579901BD mscorwks.dll ^000A   

    0x57990074 mscorwks.dll              RET  0x57990159 mscorwks.dll ^0001   

    0x579900A7 mscorwks.dll              RET  0x57990073 mscorwks.dll ^0001   

    0x57990083 mscorwks.dll              RET  0x579900A6 mscorwks.dll ^0001   

    0x57984BAF mscorwks.dll              RET  0x57990082 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x57984BAF mscorwks.dll ^0004   

    0x57984C21 mscorwks.dll              RET  0x57984C0E mscorwks.dll ^0004   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984C08 mscorwks.dll ^0002   

    0x04FD05AE (anonymous; mscoreei.dll)     RET  0x57984BFB mscorwks.dll ^0002   

    RtlTryEnterCriticalSection +0x2c     RET  0x57984BED mscorwks.dll ^0033   
    0x77ABC8DC ntdll.dll                                                      

    0x57984C34 mscorwks.dll              RET  0x57984C3A mscorwks.dll ^0001   

    0x579843D7 mscorwks.dll              RET  0x57984C34 mscorwks.dll ^0001   

    0x579817CF mscorwks.dll              RET  0x579843D7 mscorwks.dll ^0009   

    0x5798438E mscorwks.dll              RET  0x579843D2 mscorwks.dll ^0338   

    MsgWaitForMultipleObjects +0x77    ~ RET* 0x0010B7ED iexplore.exe ^0002   
    0x74678EE7 user32.dll                                                     

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x74 ^0057
    0x7468D3B7 user32.dll                     0x74678EE4 user32.dll           

    MsgWaitForMultipleObjects +0x1fc   ~ RET  MsgWaitForMultipleObjects +0x68 ^0002
    0x7467906C user32.dll                     0x74678ED8 user32.dll           

    GetOpenClipboardWindow +0x5f         RET  MsgWaitForMultipleObjects +0x1f9 ^014C
    0x7468D3B7 user32.dll                     0x74679069 user32.dll           

    NtUserCallNoParam +0xc             ~ RET  MsgWaitForMultipleObjects +0x1d5 ^00E9
    0x745824DC win32u.dll                     0x74679045 user32.dll           

    Wow64SystemServiceEx +0x257        ~ RET  TurboDispatchJumpAddressEnd +0xb ^0003
    0x68946FA7 wow64.dll                      0x68931CF7 wow64cpu.dll         

    0x68957A54 wow64.dll                 RET  Wow64SystemServiceEx +0x244 ^01C7
                                              0x68946F94 wow64.dll            

    0x689A84E0 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155 ^00F9
                                              0x68946EA5 wow64.dll            

    0x689AF674 wow64win.dll            ~ RET  0x689A84DB wow64win.dll ^0152   

    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  772D3791 KernelBase.dll           VirtualAlloc +0x41

    2  57982533 mscorwks.dll            
                8bf0                     MOV          ESI, EAX
                85f6                     TEST         ESI, ESI
                7416                     JZ           0x5798254f
                66f745100010             TEST         WORD [EBP+0x10], 0x1000
                740e                     JZ           0x5798254f
                8b0d7022ee57             MOV          ECX, [0x57ee2270]
                85c9                     TEST         ECX, ECX
                0f85e0162700             JNZ          0x57bf3c2f
                8bc6                     MOV          EAX, ESI
                e866f2ffff               CALL         0x579817bc
                c21000                   RET          0x10

    3  5798256D mscorwks.dll            
    4  5798258B mscorwks.dll            
    5  57999145 mscorwks.dll            
    6  5799953E mscorwks.dll            
    7  57990214 mscorwks.dll            
    8  5799016A mscorwks.dll            
    9  579B5648 mscorwks.dll            
    10 579B5736 mscorwks.dll            

    Process Trace
    1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
    2  C:\Program Files\Internet Explorer\iexplore.exe [9968]
    3  C:\Windows\explorer.exe [7276]
    4  C:\Windows\System32\userinit.exe [6188]
    5  C:\Windows\System32\winlogon.exe [932]
    winlogon.exe

    Thumbprint
    284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908

Children