Autogenerating OpenIOC
293 views
Skip to first unread message
tk_lane
Feb 5, 2013, 10:40:59 PM2/5/13
to ope...@googlegroups.com
Just posted a script and workflow for auto-generating OpenIOCs from unstructured data. Tools is here:
and walkthrough is here:
It would be nice to have feedback.
Cheers,
Kelcey
Tom U. @c_APT_ure
Feb 6, 2013, 4:25:06 AM2/6/13
to ope...@googlegroups.com
Kelcey,
I think this is a really great idea and thanks for the effort to initiate this!
Just as an idea, there are more than one potentially interesting locations (artifacts) to search for different indicators.
E.g. for domain names, also in DNS cache, Download-URLs, Cookies, even memory strings. See IOC attached.
document="UrlHistoryItem" search="UrlHistoryItem/URL"
document="DnsEntryItem" search="DnsEntryItem/Host"
document="CookieHistoryItem" search="CookieHistoryItem/HostName"
document="ProcessItem" search="ProcessItem/StringList/string"
document="Network" search="Network/DNS"
The same for other indicators like MD5.
- DriverItem/Md5sum
- FileItem/Md5sum
- FileItem/StreamList/Stream/Md5sum
- ProcessItem/SectionList/MemorySection/Md5sum
- ServiceItem/pathmd5sum
- ServiceItem/serviceDLLmd5sum
- TaskItem/ActionList/Action/ExecProgramMd5sum
- TaskItem/md5sum
But this is a really great start to build upon.
Once the IOC is autogenerated a more complex logic is easier to create with IOCe, since each indicator can be dragged & dropped under AND / OR logic tree.
I will definitely look into this great tool soon and hopefully start using it as well.
Thanks again for the initiative!
Cheers,
Tom
https://twitter.com/c_APT_ure
http://c-apt-ure.blogspot.com/
I think this is a really great idea and thanks for the effort to initiate this!
Just as an idea, there are more than one potentially interesting locations (artifacts) to search for different indicators.
E.g. for domain names, also in DNS cache, Download-URLs, Cookies, even memory strings. See IOC attached.
document="UrlHistoryItem" search="UrlHistoryItem/URL"
document="DnsEntryItem" search="DnsEntryItem/Host"
document="CookieHistoryItem" search="CookieHistoryItem/HostName"
document="ProcessItem" search="ProcessItem/StringList/string"
document="Network" search="Network/DNS"
The same for other indicators like MD5.
- DriverItem/Md5sum
- FileItem/Md5sum
- FileItem/StreamList/Stream/Md5sum
- ProcessItem/SectionList/MemorySection/Md5sum
- ServiceItem/pathmd5sum
- ServiceItem/serviceDLLmd5sum
- TaskItem/ActionList/Action/ExecProgramMd5sum
- TaskItem/md5sum
But this is a really great start to build upon.
Once the IOC is autogenerated a more complex logic is easier to create with IOCe, since each indicator can be dragged & dropped under AND / OR logic tree.
I will definitely look into this great tool soon and hopefully start using it as well.
Thanks again for the initiative!
Cheers,
Tom
https://twitter.com/c_APT_ure
http://c-apt-ure.blogspot.com/
--
You received this message because you are subscribed to the Google Groups "OpenIOC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openioc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Devon Kerr
Feb 6, 2013, 8:08:58 AM2/6/13
to ope...@googlegroups.com
It's never a bad idea to look in process memory - ProcessItem ProcessPort RemoteIP can be surprisingly valuable if you happen to have something chatty on a box.
Reply all
Reply to author
Forward
0 new messages