Skip to content

Instantly share code, notes, and snippets.

@adricnet

adricnet/IocEditorFeatures.md

Last active June 9, 2016 21:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adricnet/cb46d182200a40deb6d62c3906da59c9 to your computer and use it in GitHub Desktop.
Save adricnet/cb46d182200a40deb6d62c3906da59c9 to your computer and use it in GitHub Desktop.
Download ZIP
Some things IOC editor can't do today
Raw
IocEditorFeatures.md

In which I detail some things that the pretty nifty free[1] IOC Editor (or potentially the OpenIOC format, or MIR ?) just won't do for me. Some of these are explained in the very nice User Guide (UG). Maybe some of the other openioc tools can do more, like ioc_writer[2] ...

  1. Compare numbers, like file.size >= or <=
  2. Process trees, in the manner of other products
  3. Combine types in an boolean expression (UG)
  4. Any fancy hashing, like ssdeep or imphash

This is cramping my style and preventing me from even trying to implement some simple (...) use cases from past and present casework, such as

  1. IExplore.exe launches thing ... which launch things ... which launch vssadmin.exe (early Cryptowall)
  • ParentProcess ID is insufficient
  1. FlashPlayer binaries from a campaign that vary slightly in size but have other similarities (like signing , imphash)
  • Can't do the executable size range
  • MD5s change each sample, but ssdeep and imphash are similar for the clusters

It's also tricky is find out what the possible field values are. I'm experimenting with SUSPENDED now, like this ... though this does not work:

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="f018d92b-7680-4ac7-8175-ffc5d480ef92" last-modified="2016-06-09T19:22:55" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Suspended Process</short_description>
  <description>Test rule looking for Suspended processes, part of process hollowing and injection techniques --adricnet</description>
  <authored_by>adricnet</authored_by>
  <authored_date>2016-06-09T18:17:59</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="fa23da32-73cd-4440-8bd4-c37a5e456b03">
      <IndicatorItem id="5745e3a6-712e-4593-a868-f4af7adcfff7" condition="contains">
        <Context document="ProcessItem" search="ProcessItem/PortList/PortItem/state" type="mir" />
        <Content type="string">SUSPENDED</Content>
      </IndicatorItem>
      <IndicatorItem id="f092c7db-1ebf-4a27-8f9f-720405027328" condition="contains">
        <Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/RawFlags" type="mir" />
        <Content type="string">SUSPENDED</Content>
      </IndicatorItem>
    </Indicator>
  </definition>
</ioc>

1: https://www.fireeye.com/services/freeware/ioc-editor.html

2: https://github.com/mandiant/ioc_writer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment