IOCs

What is it?

• Indicators of compromise
• Specific criteria that can be used to distinguish whether a machine is compromised or not
  • Registry keys
  • Malware characteristics
    • File name
    • Size
    • Location
    • Hash
    • PE info
  • Process/Service info
  • DNS queries
  • Files dropped
• Types of IOCs
  • OpenIOC
    • Mandiant
  • Yara
  • Threat intelligence
    • Structured Threat Information Expression (CTIX)
    • Trusted Automated Exchange of Intelligence Information (TAXII)
• OpenIOC
  • XML based
  • Tool to create called IOC Editor
  • Tools to scan are IOC Finder and Redline
  • Windows-based tools only
• YARA
  • Scanner and rules
  • Platforms: Windows, Linux, and Mac
  • Extensible via Python
  • Running Yara
    • Yara [options] RULES_FILE TARGET
    • TARGET can be file, folder, or running process
• YARA rules
  • Simple rule

rule demo1: tag

{

condition:

true

}

• nocase means upper or lowercase
• ascii wide
  • Using ascii encoding
  • Wide is a 2 byte character representation
  • Represents non-English characters
• Filesize==
• Filetype can also be defined
• Rules about YARA Rules
  • C-style notation followed
  • Comments are C-style
    • /*comment*/
    • //comment line
  • Conditional operators
  • Boolean/Arithmetic operators
• For lab get YARA rule to catch everything