Hello Good Day to All.
I have query regarding Exploit Prevention Events, where can i see or what actions done on the detected exploit in my Exploit Prevention Events Viewer?
This thread was automatically locked due to age.
Hello Good Day to All.
I have query regarding Exploit Prevention Events, where can i see or what actions done on the detected exploit in my Exploit Prevention Events Viewer?
Hello vsmacuanajr,
sorry, apparently there isn't more information in the console (I don't yet have an additional EXP license so it was merely a guess and I should have said so).
Seems it just logs to the Windows Event Log, dunno if the action is recorded though. I assume it terminated the process.
Christian
No, an action isn't being logged in Windows event log.
Here is example from event log of a ROP mitigation event.
Mitigation ROP
Platform 10.0.14393/x64 v583 06_4e
PID 13840
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11
Callee Type AllocateVirtualMemory
0x1653C000 (4096 bytes)
Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x57981802 mscorwks.dll RET 0x57982511 mscorwks.dll ^008B
0x57982479 mscorwks.dll RET 0x57982579 mscorwks.dll ^00ED
0x57990126 mscorwks.dll RET 0x579901D9 mscorwks.dll ^0003
0x579901A9 mscorwks.dll RET 0x579901CC mscorwks.dll ^0006
0x57990113 mscorwks.dll RET 0x579901BD mscorwks.dll ^000A
0x57990074 mscorwks.dll RET 0x57990159 mscorwks.dll ^0001
0x579900A7 mscorwks.dll RET 0x57990073 mscorwks.dll ^0001
0x57990083 mscorwks.dll RET 0x579900A6 mscorwks.dll ^0001
0x57984BAF mscorwks.dll RET 0x57990082 mscorwks.dll ^0001
0x579817CF mscorwks.dll RET 0x57984BAF mscorwks.dll ^0004
0x57984C21 mscorwks.dll RET 0x57984C0E mscorwks.dll ^0004
0x04FD05AE (anonymous; mscoreei.dll) RET 0x57984C08 mscorwks.dll ^0002
0x04FD05AE (anonymous; mscoreei.dll) RET 0x57984BFB mscorwks.dll ^0002
RtlTryEnterCriticalSection +0x2c RET 0x57984BED mscorwks.dll ^0033
0x77ABC8DC ntdll.dll
0x57984C34 mscorwks.dll RET 0x57984C3A mscorwks.dll ^0001
0x579843D7 mscorwks.dll RET 0x57984C34 mscorwks.dll ^0001
0x579817CF mscorwks.dll RET 0x579843D7 mscorwks.dll ^0009
0x5798438E mscorwks.dll RET 0x579843D2 mscorwks.dll ^0338
MsgWaitForMultipleObjects +0x77 ~ RET* 0x0010B7ED iexplore.exe ^0002
0x74678EE7 user32.dll
GetOpenClipboardWindow +0x5f RET MsgWaitForMultipleObjects +0x74 ^0057
0x7468D3B7 user32.dll 0x74678EE4 user32.dll
MsgWaitForMultipleObjects +0x1fc ~ RET MsgWaitForMultipleObjects +0x68 ^0002
0x7467906C user32.dll 0x74678ED8 user32.dll
GetOpenClipboardWindow +0x5f RET MsgWaitForMultipleObjects +0x1f9 ^014C
0x7468D3B7 user32.dll 0x74679069 user32.dll
NtUserCallNoParam +0xc ~ RET MsgWaitForMultipleObjects +0x1d5 ^00E9
0x745824DC win32u.dll 0x74679045 user32.dll
Wow64SystemServiceEx +0x257 ~ RET TurboDispatchJumpAddressEnd +0xb ^0003
0x68946FA7 wow64.dll 0x68931CF7 wow64cpu.dll
0x68957A54 wow64.dll RET Wow64SystemServiceEx +0x244 ^01C7
0x68946F94 wow64.dll
0x689A84E0 wow64win.dll ~ RET Wow64SystemServiceEx +0x155 ^00F9
0x68946EA5 wow64.dll
0x689AF674 wow64win.dll ~ RET 0x689A84DB wow64win.dll ^0152
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 772D3791 KernelBase.dll VirtualAlloc +0x41
2 57982533 mscorwks.dll
8bf0 MOV ESI, EAX
85f6 TEST ESI, ESI
7416 JZ 0x5798254f
66f745100010 TEST WORD [EBP+0x10], 0x1000
740e JZ 0x5798254f
8b0d7022ee57 MOV ECX, [0x57ee2270]
85c9 TEST ECX, ECX
0f85e0162700 JNZ 0x57bf3c2f
8bc6 MOV EAX, ESI
e866f2ffff CALL 0x579817bc
c21000 RET 0x10
3 5798256D mscorwks.dll
4 5798258B mscorwks.dll
5 57999145 mscorwks.dll
6 5799953E mscorwks.dll
7 57990214 mscorwks.dll
8 5799016A mscorwks.dll
9 579B5648 mscorwks.dll
10 579B5736 mscorwks.dll
Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [9968]
3 C:\Windows\explorer.exe [7276]
4 C:\Windows\System32\userinit.exe [6188]
5 C:\Windows\System32\winlogon.exe [932]
winlogon.exe
Thumbprint
284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908
No, an action isn't being logged in Windows event log.
Here is example from event log of a ROP mitigation event.
Mitigation ROP
Platform 10.0.14393/x64 v583 06_4e
PID 13840
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11
Callee Type AllocateVirtualMemory
0x1653C000 (4096 bytes)
Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x57981802 mscorwks.dll RET 0x57982511 mscorwks.dll ^008B
0x57982479 mscorwks.dll RET 0x57982579 mscorwks.dll ^00ED
0x57990126 mscorwks.dll RET 0x579901D9 mscorwks.dll ^0003
0x579901A9 mscorwks.dll RET 0x579901CC mscorwks.dll ^0006
0x57990113 mscorwks.dll RET 0x579901BD mscorwks.dll ^000A
0x57990074 mscorwks.dll RET 0x57990159 mscorwks.dll ^0001
0x579900A7 mscorwks.dll RET 0x57990073 mscorwks.dll ^0001
0x57990083 mscorwks.dll RET 0x579900A6 mscorwks.dll ^0001
0x57984BAF mscorwks.dll RET 0x57990082 mscorwks.dll ^0001
0x579817CF mscorwks.dll RET 0x57984BAF mscorwks.dll ^0004
0x57984C21 mscorwks.dll RET 0x57984C0E mscorwks.dll ^0004
0x04FD05AE (anonymous; mscoreei.dll) RET 0x57984C08 mscorwks.dll ^0002
0x04FD05AE (anonymous; mscoreei.dll) RET 0x57984BFB mscorwks.dll ^0002
RtlTryEnterCriticalSection +0x2c RET 0x57984BED mscorwks.dll ^0033
0x77ABC8DC ntdll.dll
0x57984C34 mscorwks.dll RET 0x57984C3A mscorwks.dll ^0001
0x579843D7 mscorwks.dll RET 0x57984C34 mscorwks.dll ^0001
0x579817CF mscorwks.dll RET 0x579843D7 mscorwks.dll ^0009
0x5798438E mscorwks.dll RET 0x579843D2 mscorwks.dll ^0338
MsgWaitForMultipleObjects +0x77 ~ RET* 0x0010B7ED iexplore.exe ^0002
0x74678EE7 user32.dll
GetOpenClipboardWindow +0x5f RET MsgWaitForMultipleObjects +0x74 ^0057
0x7468D3B7 user32.dll 0x74678EE4 user32.dll
MsgWaitForMultipleObjects +0x1fc ~ RET MsgWaitForMultipleObjects +0x68 ^0002
0x7467906C user32.dll 0x74678ED8 user32.dll
GetOpenClipboardWindow +0x5f RET MsgWaitForMultipleObjects +0x1f9 ^014C
0x7468D3B7 user32.dll 0x74679069 user32.dll
NtUserCallNoParam +0xc ~ RET MsgWaitForMultipleObjects +0x1d5 ^00E9
0x745824DC win32u.dll 0x74679045 user32.dll
Wow64SystemServiceEx +0x257 ~ RET TurboDispatchJumpAddressEnd +0xb ^0003
0x68946FA7 wow64.dll 0x68931CF7 wow64cpu.dll
0x68957A54 wow64.dll RET Wow64SystemServiceEx +0x244 ^01C7
0x68946F94 wow64.dll
0x689A84E0 wow64win.dll ~ RET Wow64SystemServiceEx +0x155 ^00F9
0x68946EA5 wow64.dll
0x689AF674 wow64win.dll ~ RET 0x689A84DB wow64win.dll ^0152
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 772D3791 KernelBase.dll VirtualAlloc +0x41
2 57982533 mscorwks.dll
8bf0 MOV ESI, EAX
85f6 TEST ESI, ESI
7416 JZ 0x5798254f
66f745100010 TEST WORD [EBP+0x10], 0x1000
740e JZ 0x5798254f
8b0d7022ee57 MOV ECX, [0x57ee2270]
85c9 TEST ECX, ECX
0f85e0162700 JNZ 0x57bf3c2f
8bc6 MOV EAX, ESI
e866f2ffff CALL 0x579817bc
c21000 RET 0x10
3 5798256D mscorwks.dll
4 5798258B mscorwks.dll
5 57999145 mscorwks.dll
6 5799953E mscorwks.dll
7 57990214 mscorwks.dll
8 5799016A mscorwks.dll
9 579B5648 mscorwks.dll
10 579B5736 mscorwks.dll
Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [13840]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9968 CREDAT:83190 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [9968]
3 C:\Windows\explorer.exe [7276]
4 C:\Windows\System32\userinit.exe [6188]
5 C:\Windows\System32\winlogon.exe [932]
winlogon.exe
Thumbprint
284753c71db5bdcdacca607629ccecf0a5c5b6dd1a4bd62d2a537229486e6908
Hi Sophos,
Any update to this thread?
As raised initially by poster, Exploit event was captured by EXP.
This is flagged in SEC under the Exploit tab, shown in Exploit Count
Further details are shown in the Computer Details log, under "Latest Exploit Prevention Events".
Now how do I find out what action was done to this exploit. No RCA feature for this EXP variant.
Thanks.
Regards,
Roy
Hello Roy et al.,
what action was done
usually the process will be terminated and subsequently blocked until reboot. AFAIK unlike Central SEC does not perform any actions - neither does it start a Sophos Clean scan nor conduct an RCA.
Christian
Hi Roy,
I believe the below thread will provide you more information this. One of our GES Engineers (handling virus and exploits) would have explained on the this.
Regards,
Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
