In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats.
Viewing Existing IoCs
In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs which you downloaded from different sources. Here, we will show a simple example to view an existing IoC. So, as example, we download an IoC from Open Threat Exchange. This is the IoCs of malicious files found on Pulse Connect Secure devices. This is an xml file downloaded and has 108 IoCs containing 36 MD5, 36 SHA1, and 36 SHA256 hash values. You know, IoCs are not only hashes. They can contain a lot of different attributes about the attack, but in this example, we only have hash values. Later in this post, we will create IoC with different attributes also.
After we download the IoCs as xml file, from File > New > Indicator From File menu and choose the xml file. Here, we can see all the IoCs we downloaded and if we want we can change, delete or add IoCs in that file.
Create an IoC
It is also so easy to create IoC with Mandiant IOCe. We start from File > New > Indicator menu. Firstly, IOCe provides us to give a name and description for the IoC. As the example, we will create IoC for detecting WinSCP file. Let’s check hash values of WinSCP.exe file first. MD5 and SHA256 is enough for us now.
From Item > File Item menu, we choose File MD5 and paste the MD5 value of the file. Let’s do the same for File sha256 menu. Additionally, we add File Name in OR logic.
Then, we can add more attributes from hundreds of items in IOCe. We tried to show some of them in the screenshot below.
Do not forget that attributes you choose should be unique to the file, so it can be detectable and less false positives occur. Description is important while creating an IoC, since open IoC is developed to be used by everyone, and if you create an IoC, it is better to write enough description to understand by others.