In this and previous modules we learned about different cybersecurity Informatio
In this and previous modules we learned about different cybersecurity Information sharing formats. In this assignment we are going to review two very popular formats, that of the Indicators of Compromise (sometimes just referred to as OpenIOC or just IOC Download OpenIOC or just IOC) and the Structure Threat Information Expression language (STIX). Both are used widely in the industry and there are both benefits and drawbacks for using both.
The first cyber information format we will look at is IOC Download IOC, defined by Mandiant; Mandiant is an American cybersecurity firm which rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. Mandiant, has since been acquired by FireEye, but much of the information and tools provided by Mandiant are still available, specifically APT1, which are the indicators used to implicate China. Mandiant/FireEye provides a wide range of tools:
Analysis ToolsMemoryze
Highlighter
Research ToolsApateDNS
PdbXtract
Heap Inspector
Indicator of Compromise (IOCs) ToolsIOC Editor
IOC Finder
Open Source ToolsOpenIOC 1.1
ShimCacheParse
Reversing
Rproxy
Audit Parser
For this assignment, we are going to use the IOC Editor (IOCe) to both gain knowledge of Mandiant/FireEye and the tool set(s) provided by them, as well as the transformation process used to convert a specific format (in this case IOC) to STIX.
Mandiant/FireEye provides many useful tools, free of charge. If you go to the following Mandiant/FireEye Download siteLinks to an external site., you will find that they offer a wide range of tools for analysis and incident reporting. One of the more useful tools is the Mandiant IOC Editor for Indicators of Compromise (IOCs). IOCs are XML documents that help incident responders capture diverse information about threats including attributes of malicious files, characteristics of registry changes, and artifacts in memory. IOCe provides an interface into managing data within these IOCs including: manipulating the logical structures that define the IOC, applying meta-information to IOCs including detailed descriptions or arbitrary labels, converting IOCs into XPath filters, and managing lists of “Terms” that are used within IOCs. To obtain this tool, you can go to the Mandiant/FireEye DownloadLinks to an external site. site and locate the IOC Editor, I have included Mandiant IOCe version 2.2.0.0, which is included in the file dsl-ioc-editor.zip and known to work with this assignment. You will also need the required Microsoft .Net 3.5 Framework, which you can download from here Download from here.
Note that there is an MD5 and SHA-1 Hash for the file you downloaded and also for the file you extract from the download. To verify you received the correct tool and that it has not been modified, perform the following operation.
Download load the Microsoft tool File Checksum Integrity Verifier (FCIV)Download Microsoft tool File Checksum Integrity Verifier (FCIV)Invoke the file you downloaded, generally from the download directory
The file name at the time of this writing is Windows-KB41290-x86-ENU.exe
In the example below, I’ve downloaded the FCIV tool and it resides in my download directory
Download the the Mandiant IOCe toolThe zip file is named sdl-ioc-editor.zipDownload sdl-ioc-editor.zip
Before you decompress it, check the hash
Perform a hash calculation on the sdl-ioc-editor.zip Download sdl-ioc-editor.zipfileUse the command fciv with the “–sha1” or “-both” switch on the file sdl-ioc-editor.zipDownload sdl-ioc-editor.zip
Ensure the results matches the integrity hash displayed on the Mandiant download page or in our case the ZIP file downloaded displayed in the Command Prompt demonstrated below (SH1 = aff95f0fa83c7b07cbe4130bbef92bd11a82b9a0)
Figure: Using FCIV to Perform Integrity Checking (note your FireEye page content may be different)
PHASE 1 – Using Mandiant Tools to View Indicators
Now that you have verified that you have the correct tool, it’s time to practice using it. IOCe is documented here Download here. You should read the user manual before continuing. To get an idea of how the tools works, perform the following:
Download APT1Download APT1
Decompress the APT1 file
Download IOCeDownload IOCe
Verify the image using FCIV (you should have already done this above)
Decompress the IOCe file
Install the tool by invoking the “Mandiant IOCe.msi”
Locate the newly installed application (search for it under “new” applications) and run it.
Once opened, select the directory where your APT1 files are located:
Figure: Locating APT1 Files (system dependent)
Once you select the working IOC directory, you should see the following content:
Figure: IOCe and Working Content
The first entry is an index of all the entries within the directory.
Select AURIGA, notice the description of the malware and also the Portable Executable (PE) information provided.
Look at the tools section, and observe the types of operations you can perform.Locate the IOC Terms Editor and select it
Locate the ARP IPv4 Address
Determine what type of data is used to represent this term by scrolling to the rightData Type: IP
XML Data Type xs:string
Use the search feature and find the following – d9c4ebd61c1aee52b3597aae048a592fIgnore the first result “Appendix E – APT1 File Hashes” this contains a list of all hashes
Select search again and “Continue Last Search”
What is the result?Name: WARP (FAMILY)
Description: The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%system32cmd.exe? file as ‘%USERPROFILE%Temp~ISUN32.EXE’. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.
Category: Backdoor
Files Detected Anomalies are update.exe, ntshrui.dll, netui0.dll
These are very basic operations, but as you can see the ability to receive, compare and share these indicators would be very useful when trying to determine what a suspicious file might be.
PHASE 2 – Using STIX Tools to View Indicators
Now that we have seen how the Mandiant tools work for viewing indicators, let’s look at how this might be done using STIX and the tools provided by the Department of Homeland Security (DHS) STIX initiative. We want to compare apples to apples, but APT1 doesn’t have an incident report in our desired STIX format. Because of this, we’ll have to convert the files which are currently in the IOC format to STIX. To perform the conversion, we are going to download the STIX tools located at the following websiteLinks to an external site.. If you already have Python installed, you may want to uninstall it or ensure you are using the correct version when performing this exercise. The STIX format we are using is the older version, 1.1, which requires either 2.7 (which is really old) and 3.6 (which is the version we’ll use in the lab) of Python.
NOTE:
PYTHON VERSION 3.6 Download 3.6HAS BEEN TESTED AND KNOWN TO WORK WITH WINDOWS 11
AND BELOW, MAKE SURE PIP IS INCLUDED WHEN INSTALLING PYTHON AND THAT YOU ARE
REFERENCING IT WITH THE ABSOLUTE PATH IF YOU HAVE ANOTHER VERSINON OF PYTHON INSTALLED.
Python Module Installation:
It is suggested that you remove the current version of Python you have, specifically if it is newer than Python 3.6. Downloaded Python 3.6 Download Downloaded Python 3.6, which is the version of Python the developers recommend to use with the STIX Python conversion tool you will be using and use the Python default path during the 3.6 installation. Navigate to the https://github.com/STIXProject/openioc-to-stix Links to an external site. website and download the latest openioc-to-stix project (this version has been tested and known to work) Download download the latest openioc-to-stix project (this version has been tested and known to work). Make sure you have downloaded the following required files:
Python 3.6Download Python 3.6
The latest openioc-to-stix projectDownload The latest openioc-to-stix project
Your download directory should look like the following:
Figure: Require Downloads
In the figure above, the openioc-to-stix-master-update Download openioc-to-stix-master-update and python-3.6.8-amd64 Download python-3.6.8-amd64files have been downloaded. Also note, the APT1 file and directory, which was download and extracted in the previous steps in this lab. Double click the python-3.6.8 file to install Python and extract the openioc-to-stix-master-update file.
Next, You will install the required STIX Python modules using PIP. PIP is a built-in installation program for Python modules, and supplied in the 3.6 version of the Python installation provided for this exercise. PIP is generally located in the
Python – Users
An example of this operation is demonstrated below:
Figure: Using pip to install openioc-to-stix on Windows
Conversion Tool Installation:
Locate the OpenIOC to STIX utility. For your convenience I have included it here (you should use this version since it’s been tested with this lab) Download here (you should use this version since it’s been tested with this lab). This tool is a Python based tool. Make sure you have already installed the required STIX Python modules described in the section “Python Module Installation”. To use the tool, you’ll need to decompress the downloaded file, openioc-to-stix-master-update.zip Download openioc-to-stix-master-update.zip.
After you decompress the conversion utility, you should read the README.rst file. What you’ll find however, is that this file uses the Linux/Unix
Figure: Notepad README.rst
To eliminate this problem, you can use a tool called unix2dos.exe (a Windows Command Prompt Uility) Download unix2dos.exe (a Windows Command Prompt Uility), which will convert the file from the Linux format received to the dos format required to read it in notepad. Download this tool and perform the following command:
unix2dos README.rst
The file should now be in the correct format for you to read and find out more information about the utility you are using. Note, you do not have to perform the pip installation steps documented in the README.rst file, you used the newer procedure documented in “”Python Module Installation”. Once you have the files in place, you should navigate to the openioc-to-stix python files located in the created subdirectories and test to ensure everything is working correctly using the command:
C:Users
Figure: Testing openioc-to-stix Using Help
You should receive the results demonstrated in the figure above, also note the APT1 directory, this directory contains the OpenIOC files used in the Mandiant exercise above; you will move/copy this directory in the next step of this exercise to make the conversion operation easier.
Running the Conversion Tool
You will now perform the conversion operation, which will convert the OpenIOC files to their STIX representation. We will be using the Python program openioc-to-stix.py. The program takes two inputs, the format of the application is the following:
openioc-to-stix.py –i
where -i is used to define the input file parameter (or switch) and -o the output file parameter (or switch).
To make the operation easier for this portion of the assignment to move/copy the APT1 directory you used previously, to a subdirectory of the openioc-to-stix-master-update directory. This operation is demonstrated below:
Figure: Move/Copy the APT1 Directory
Once the APT1 files are in place, you can issue the command given in the example below to convert your files from OpenIOC (.ioc) to STIX (.stix). The following displays how to issue the commands from the openioc-to-stix-master directory to the APT directory, both extracted from the Downloads folder.
Figure: Issuing the Command to Convert OpenIOC to STIX
You should use the same naming convention that the IOC file uses, with an extension of “stix” for the STIX conversion file. An example of this process is demonstrated above, note that the APT1 directory contains both the original IOC file and the resultant STIX converted file.
The following walk-through video shows you the processes used to install and convert an IOC to STIX file:
For your convenience, a Windows batch file Download batch fileis provided “AS-IS” that helps in the conversion of all IOC files to the STIX format. You can use this script file, but are responsible for any modifications that might need to be made within your environment for its proper operation. Make sure you can convert one IOC file to STIX before attempting to use the batch file.
If you get the following error:
Figure: No APT1 Directory
The above error indicates that you did not extract or copy the APT1 directory to the working openioc-to-stix-mater directory, as a subdirectory. To validate you have the correct directory in place, issue the command below while in the openioc-to-stix-master working directory (where all the Stix python files are located) :
“dir APT1”
If this command results in no files found, you did not move/copy the APT1 directory and files that reside in it as required.
If you are a Linux/MacOS user, you can create a script file by copying and pasting the following:
#!/bin/bash
for i in *.ioc ; do python /
done
Again, the above is also provided “AS-IS” and the same rules apply as above.
STIX Visual Representation
Now that we have converted the XML from IOC to STIX, let’s install a STIX viewer and see how the STIX tool works. To begin need to make sure Java is installed on our system, and more importantly, that we setup our Windows Command Prompt so that it can find Java. First start by determining if Java is available by running the following command in a Windows Command Prompt:
Java –version
You should see the following results:
Figure: Java Version
Notice that I’m running a newer version than 1.8 of Java Download 1.8 of Javaand some Java implementation use a single “dash” for the version command, i.e. “java -version”. Originally, the tool was built for version 1.7 or 1.8 of Java, but newer versions of Java have been know to run on the 1.8 version of StixViz. If you do not get the results above, for example, an invalid command, you will need to locate where your java.exe file is and then add the path to this file as an environment variable. To perform this operation, first go to the root directory and issue the command:
dir /s java.exe
Once you’ve located the java.exe file, use the control panel and navigate to the System settings by selecting “All Control Panel Items” as demonstrated in the figure below:
Figure: Control Panel All
Select all properties of the control panel are being displayed, locate the System Setting feature as demonstrated in the figure below:
Figure: Control Panel System Setting
Select System and you will receive the following setting dialog box:
Figure: System Advanced Settings
Select “Advanced System Settings” and another dialog box will take focus, within the dialog box, select the “Environment Variables” button to receive the dialog box below.
Figure: Modify Path Adding Java Location
Select the “Path” variable and the “Edit” button. This will allow you to add the path to the java.exe file. You only specify the path and not the file, in the example below, I had a previous entry for Nmap, so I used the separator “;” to indicate a new path and then provided the java.exe path. NOTE: YOUR SYSTEM MAY INSTALL IN A DIFFERENT DIRECTORY OR HAVE A DIFFERENT VERSION SO DON’T JUST COPY MY ENTRY
C:Program Files (x86)Nmap;C:Program Files (x86)Javajre1.8.0_77bin
Save your changes and start a new command prompt window, the changes won’t take effect for any windows already open. Verify your settings by running the java version command again.
We will now use a new tool called STIXviz, which is supplied as Python code, but also has pre-built images we can take advantage of for both Java 1.7 and Java 1.8. In my environment, I’m going to install the 1.8 version. If you have Java 1.8 or higher, which most students do, you should use StixVizDistro_Windows_java8.zip Download StixVizDistro_Windows_java8.zip. To perform the installation operation, download the STIXviz compressed file matching your Java version:
StixVizDistro_Windows_java7.zipDownload StixVizDistro_Windows_java7.zip
StixVizDistro_Windows_java8.zipDownload StixVizDistro_Windows_java8.zip
If you are a MacOS user, you should be using your Windows Virtual instance for this assignment (to complete the IOCe portion above), and can also use the same Windows image for this StixViz section as well. You can also try a MacOS version, which is provided here Download here.
Decompress the file and navigate to the directory containing StixViz.exe. Invoke this executable and you will be presented with a STIX Viewer with a “Choose Files” button. When browsing for the STIX files you converted, make sure you’re not just looking for “XML” files, or you may see an empty directory. Use the “file type” specifier in the open dialogbox box to show all files.
Figure: Locating STIX files (APT1 Subdirectory Example)
Select one of the files you converted to STIX from the APT1 directory, it should display the STIX logo in the center of the view, click on that to expand the objects and you should see something resembling the following:
Figure: STIXviz
Convert all the APT1 IOC files to STIX and view them in your STIX viewer. Use the different types of graph views to display the incidents loaded. While the viewer to date, does not contain all the nice feature and capabilities to edit the information and formats, you can see that it’s a great start as far as the ability to visually represent incidents and with more work can become a very useful tool.
Flag question: Question 1Question 110 pts
Using Mandient IOCe, load the APT1 content and find the following file hash:
73a63c21a08b0ad2c69999e448f8e6a1
What is the reported Name for this hash?
Flag question: Question 2Question 210 pts
Using Mandient IOCe, load the APT1 content and find the following file hash:
73a63c21a08b0ad2c69999e448f8e6a1
What is the reported Catagory for this hash?
Flag question: Question 3Question 310 pts
Using Mandient IOCe, load the APT1 content and find the following file hash:
73a63c21a08b0ad2c69999e448f8e6a1
What is the reported capability for this hash? Select all that apply
Group of answer choicesFile upload and downloadCommunication with C2
Uses port 54 to communciate with C2
Uses XOR and Base64 encoding
Flag question: Question 4Question 410 pts
Using Mandient IOCe, load the APT1 content and find the following file hash:
73a63c21a08b0ad2c69999e448f8e6a1
There are more than one instance of this hash being used in APT1
Group of answer choicesTrueFalse
Flag question: Question 5Question 510 pts
The required switches for the IOC to STIX conversion tool is what? Specify only the switches and not the parameters that are used with it
Flag question: Question 6Question 610 pts
Using Mandient IOCe, load the APT1 content and find the following file hash:
73a63c21a08b0ad2c69999e448f8e6a1
Which are files associated with this hash?
Group of answer choicesupdata.exeupdate.exe
windows.exe
data.exe
Flag question: Question 7Question 740 pts
After you have completed this assignment, upload a Windows document file that contains a screen shot of the following:
Snapshot of STIXviz with a converted APT1 IOC clearly being displayed
Requirement
Description
Points
STIXviz Tool Functioning
The STIXviz tool is opened and able to display content derived from the previous conversion exercise of IOCs to STIX objects. Import a STIX object to be displayed into STIXviz.
20
3 STIX Objects are being displayed
Click on the main STIX object to expand the object relationship model of the exploit being viewed. Show at least 3 distinct STIX objects (try to display no more than 10)
20
Leave a Reply