Tuesday, February 5, 2013

Auto-Generating OpenIOCs

Wow, it has been two years since last post, and this post will not be mind blowing. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past couple of years I have been busy building an incident response team and SOC so I have not had a lot of time write much worth posting. I finally got some free time this last week and created a quick and dirty script to create OpenIOC format IOCs from unstructured data. This was a pain point in my teams day to day operations since we use OpenIOC format IOCs for just about every part of our automation to look for known indicators, be in in Splunk or MIR. The script is not complicated but saves a ton of time when you have to import a long list of IOCs (MD5’s, IP’s or domain names). To execute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script all you need is a basic install of python, no ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r libraries. I’ll walk through an example of its use below. First step is to find a source for IOCs. In a perfect world all IOCs would be in a structured format already but most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not. In this example I will be creating IOC’s from a a FireEye blog post. If you want to play along here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site: http://blog.fireeye.com/research/2013/02/operation-beebus.html Just copy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog post to a file. Once you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents copied over execute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script as below, “blobofIOCs” is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 copied content:



This will create an OpenIOC format IOC in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same directory:


From here you aren’t done it does most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work but you have to edit some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 property files and check for BAD IOCs. You can load cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IOC up in Mandiant IOC editor located here:


When parsed it will look similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 figure below:

“ioc_creator.py” will generate domain, IP, MD5 hash, registry and file path IOCs. Be sure to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name, add groups, and change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 description as it defaults to BulkImport . The IOC will still load into MIR if you don’t change this but you want to change this data for context if it ever hits. The IOC also has some bad auto-generated IOCs. The “File Full Path contains “\Windows,” which is a bad IOC, as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single registry path contains.  Delete cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se BAD IOCs out. “ioc_creator.py” defaults IOC term logic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following for each IOC term type:
  • FileItem/FullPath – contains
  •  RegistryPath – contains
  • Network/DNS – contains
  • PortItem/remoteIP – is
  • FileItem/Md5sum - is
The auto-generation will catch some very high false positive IOCs so make sure to use IOC lint and double check what has been auto-generated for you.  In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end my IOC was cleaned up to look like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following figure:


Please let me know of any bugs or features needed. The script can be found here:



3 comments:

Chara said...

This is cool!

ItsReallyNick said...

Was wondering how to bulkimport and assign indicator IDs. Cool regex searching for context and assigning uuid. Noice noice!

Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work.

Unknown said...

Great, however apart from indentation errors it gives "SyntaxError: unexpected EOF while parsing" error.