IOC Grabbin Like a Boss

Blog, Security

IOC Grabbin Like a Boss

May 13, 2016

featured-may13A very simple, yet effective way of detecting malware activity is by the use of IOCs (Indicators of Compromise). IOCs may consist of IP addresses, Domain names, Hashes, URL strings, hexadecimal values in a payload, and so on. Many different places of in internet house many different IOCs in the form of blacklists or set files. Here I will show you how to use simple methods to combine and centralize all of your favorite IOCs into one large, custom, mission driven IOC list.

Start by crafting a list of your favorite security vendor blacklists and for simplicity sake separate them by domains, IPs, and MD5 hashes. I have chosen the following blacklists for my excel document.

IPs:

  • https://www.openbl.org/lists/base_30days.txt
  • http://rules.emergingthreats.net/blockrules/compromised-ips.txt
  • https://zeustracker.abuse.ch/blocklist.php?download=badips

Domains:

  • http://www.malwaredomainlist.com/hostslist/delisted.txt
  • https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt

MD5s:

  • https://virusshare.com/hashes/VirusShare_00229.md5

 

Open a Microsoft Excel workbook. Open six different sheets and label them with names that correspond to the blacklists to keep everything organized.

excel-ss1-1

After the tabs have been created it is now time to import the IOCs from the blacklist locations on the internet. Select the first tab ET_Comped_IP and select cell A1. Select the Excel Data tab and click on From Web in the Get External Data quadrant.

excel-ss2

A Web Query pop-up box will appear and it is there that you will insert the web address of the IOC web resource. Select the yellow arrow for the area you want to import into your document and click Import.

excel-ss3

That process will make a data connection for the excel sheet and import the desired web based IOCs into your document. Rinse, Wash, and Repeat for the other IOC web resources in separate tabs. In the end you will end up with six Excel tabs that can be refreshed on demand with the latest and greatest IOCs.

excel-ss4

That process will make a data connection for the excel sheet and import the desired web based IOCs into your document. Rinse, Wash, and Repeat for the other IOC web resources in separate tabs. In the end you will end up with six Excel tabs that can be refreshed on demand with the latest and greatest IOCs.

excel-ss5

Now you have an excel document containing thousands of IOCs that your companys security administrators can add to your IDS/IPS systems. Be careful security admins! Depending on the source the IOC could be a false positive or even worse Too many IOCs could overload your IDS/IPS appliances and cause more complex issues on the network.

 

– Steven R.

Advanced Threat Cyber Security Analyst

 

The latest with QOS Networks

View All