cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
2
Helpful
3
Replies

Questions: getting started using SEP Endpoint IOC Scans

mski7861
Level 1
Level 1


I have a requirement to start reviewing the information that can be gathered from Secure Endpoint using Endpoint IOC scans as a response tool post compromise. I found an old Cisco document 118899, from 2015 and was curious if there is a more recent document since the information referenced seems to be somewhat out of date. For instance, it references Mandiant IOC Editor software but when I search for this I'm taken to Fireeye's market place. Not very perplexing, however there are 2 versions of the OpenIOC editor - 1.1 and 1.0. Is it documented which version SEP supports? The Cisco Document seems to reference OpenIOC version 1.0.

1 Accepted Solution

Accepted Solutions

Roman Valenta
Cisco Employee
Cisco Employee

Here is my own experience when I was trying to understand on how to built my own IOC's based on TAC case that we received while ago. The issue was with uploading IOC's. So let me share my experience hope this will be helpful to you.

Error Received:

RomanValenta_0-1699546314372.png

From reviewing the specific error message it looks like the IOC was missing a required attribute “group-id” in the Element “IndicatorItem”.

 

However, I think this message is bit misleading. I was curious if I can replicate the same and I did. I was not sure what program CU was using at first to write the IOC’s but later found out the were using Open IOC by FireEye


After some test/trial I found the issue is with the app and how it saves the file. I’m not familiar with this app, but I download the copy and just created super simple file for testing purposes when I saved that file and try to upload to my AMP instance I got this same error as you can see above.

 

I also thought I’m missing some fields, but when I look in to the IOC’s that are already uploaded they don’t have “Group ID” either so I start comparing the code and notice some differences between each other and when I save the code on my PC and try to import it to the FireEye app it was telling me that the code is in old format and if I want to transform in to updated format.

 

 

That put me in to idea that there must be something about how the IOC file is formatted. I try manually change few things, but I was still getting errors so I decide to hunt for something that will write IOC in to simple IOC format and I ran across this online tool.

 

https://www.iocbucket.com/openioceditor#

 

What I did here is that I created the exact same IOC using the exact same attributes or fields and save it. When I upload this file it worked. Here is couple screenshots that should help.

 

Here showing the exact same fields between the online editor and OpenIOC by FireEye

 

RomanValenta_2-1699546724809.png

 

This screenshot is showing both IOC’s uploaded where one prints with same error as above and the other was accepted just fine

 

RomanValenta_3-1699546753058.png

 

Lastly here is the code for both:

  

Created by FireEye App

 

 

 

<?xml version="1.0" encoding="utf-8"?>
<OpenIOC xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance id="439ec429-c8e3-4ac9-bd91-eb5e1234343c" last-modified="2022-07-06T18:08:20Z" published-date="0001-01-01T00:00:00" xmlns=http://openioc.org/schemas/OpenIOC_1.1>
  <metadata>
    <short_description>TEST FireEye</short_description>
    <authored_date>2022-07-06T17:04:40Z</authored_date>
    <links />
  </metadata>
  <criteria>
    <Indicator operator="OR" id="d4bfefb5-43a5-445b-b6be-f13b6da9ff11">
      <IndicatorItem id="ca88e619-443b-424e-9659-d1340a4a6ade" condition="contains" preserve-case="false" negate="false">
        <Context document="FileItem" search="FileItem/FileExtension" type="endpoint" />
        <Content type="string">txt</Content>
      </IndicatorItem>
      <Indicator operator="AND" id="f964a5a8-7a63-472c-b7b6-aea3c712088a">
        <IndicatorItem id="b78c33ee-8b10-426d-abe6-03b6ad31f8a9" condition="contains" preserve-case="false" negate="false">
          <Context document="FileItem" search="FileItem/FileName" type="endpoint" />
          <Content type="string">TEST</Content>
        </IndicatorItem>
      </Indicator>
    </Indicator>
  </criteria>
  <parameters />
</OpenIOC>

 

 

 

Created by Online Tool

  

 

 

<ioc
    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xmlns:xsd='http://www.w3.org/2001/XMLSchema'
    xmlns='http://schemas.mandiant.com/2010/ioc' id='d1e70bb6-271e-4226-a0ab-ccb9ecf19fd3' last-modified='2022-07-06T17:37:26.403Z'>
    <short_description>TEST File</short_description>
    <description>TEST File</description>
    <authored_by>Roman Valenta</authored_by>
    <authored_date>2022-07-06T17:37:26.403Z</authored_date>
    <links/>
    <definition>
        <Indicator operator='OR' id='516413c2-9476-42af-90ca-2f5354be211d'>
            <IndicatorItem condition='contains' id='015e5c2b-43a3-4567-9469-4faf97f1e461'>
                <Context document='FileItem' search='FileItem/FileExtension' type='mir'/>
                <Content type='string'>txt</Content>
            </IndicatorItem>
            <Indicator operator='AND' id='a1594e35-69c0-4320-a18e-14727a5fcaa6'>
                <IndicatorItem condition='contains' id='0968b744-72a7-4239-88cb-f7414e337f51'>
                    <Context document='FileItem' search='FileItem/FileName' type='mir'/>
                    <Content type='string'>TEST</Content>
                </IndicatorItem>
            </Indicator>
        </Indicator>
    </definition>
</ioc>

 

 

  

  *   You might also find the documentation that we have available on IOCs helpful: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf

 

  *   IOC: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

 

The document states that the IOC has to be in OpenIOC format and the file that will be created in new version of IOCe is most likely in STIX format in XML. You will need to create the IOC in OpenIOC format, or you might be able to find a converter online to assist with that.

 

When this document you mentioned was created in 2015 the version was IOCe 2.2.0 the one you can download now is IOCe 3.2.0. There is possibility that in 2015 this app was still using the old formatting which is currently the only one supported in our portal.

So being said , if you want to use IOCe software you will need to download older version. I did found a place where you can get one but please make your own judgement before downloading this file or use software that can save the IOC in simple format

https://mandiant-ioce.software.informer.com/versions/

I download version 2.2.0 in to my lab and check the installer and yes it’s old from 2015 hence the certs are expired but the MSI is signed by legit CA as you can see from this screenshot. Make sure you only downloads the zip file from that site , it will ask you to install some updater just cancel that, you should end up only with this file mandiant_ioc_editor.zip


Here is pic once unpacked and check for signing certs.

RomanValenta_4-1699547632954.png

 



 

View solution in original post

3 Replies 3

Roman Valenta
Cisco Employee
Cisco Employee

Here is my own experience when I was trying to understand on how to built my own IOC's based on TAC case that we received while ago. The issue was with uploading IOC's. So let me share my experience hope this will be helpful to you.

Error Received:

RomanValenta_0-1699546314372.png

From reviewing the specific error message it looks like the IOC was missing a required attribute “group-id” in the Element “IndicatorItem”.

 

However, I think this message is bit misleading. I was curious if I can replicate the same and I did. I was not sure what program CU was using at first to write the IOC’s but later found out the were using Open IOC by FireEye


After some test/trial I found the issue is with the app and how it saves the file. I’m not familiar with this app, but I download the copy and just created super simple file for testing purposes when I saved that file and try to upload to my AMP instance I got this same error as you can see above.

 

I also thought I’m missing some fields, but when I look in to the IOC’s that are already uploaded they don’t have “Group ID” either so I start comparing the code and notice some differences between each other and when I save the code on my PC and try to import it to the FireEye app it was telling me that the code is in old format and if I want to transform in to updated format.

 

 

That put me in to idea that there must be something about how the IOC file is formatted. I try manually change few things, but I was still getting errors so I decide to hunt for something that will write IOC in to simple IOC format and I ran across this online tool.

 

https://www.iocbucket.com/openioceditor#

 

What I did here is that I created the exact same IOC using the exact same attributes or fields and save it. When I upload this file it worked. Here is couple screenshots that should help.

 

Here showing the exact same fields between the online editor and OpenIOC by FireEye

 

RomanValenta_2-1699546724809.png

 

This screenshot is showing both IOC’s uploaded where one prints with same error as above and the other was accepted just fine

 

RomanValenta_3-1699546753058.png

 

Lastly here is the code for both:

  

Created by FireEye App

 

 

 

<?xml version="1.0" encoding="utf-8"?>
<OpenIOC xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance id="439ec429-c8e3-4ac9-bd91-eb5e1234343c" last-modified="2022-07-06T18:08:20Z" published-date="0001-01-01T00:00:00" xmlns=http://openioc.org/schemas/OpenIOC_1.1>
  <metadata>
    <short_description>TEST FireEye</short_description>
    <authored_date>2022-07-06T17:04:40Z</authored_date>
    <links />
  </metadata>
  <criteria>
    <Indicator operator="OR" id="d4bfefb5-43a5-445b-b6be-f13b6da9ff11">
      <IndicatorItem id="ca88e619-443b-424e-9659-d1340a4a6ade" condition="contains" preserve-case="false" negate="false">
        <Context document="FileItem" search="FileItem/FileExtension" type="endpoint" />
        <Content type="string">txt</Content>
      </IndicatorItem>
      <Indicator operator="AND" id="f964a5a8-7a63-472c-b7b6-aea3c712088a">
        <IndicatorItem id="b78c33ee-8b10-426d-abe6-03b6ad31f8a9" condition="contains" preserve-case="false" negate="false">
          <Context document="FileItem" search="FileItem/FileName" type="endpoint" />
          <Content type="string">TEST</Content>
        </IndicatorItem>
      </Indicator>
    </Indicator>
  </criteria>
  <parameters />
</OpenIOC>

 

 

 

Created by Online Tool

  

 

 

<ioc
    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xmlns:xsd='http://www.w3.org/2001/XMLSchema'
    xmlns='http://schemas.mandiant.com/2010/ioc' id='d1e70bb6-271e-4226-a0ab-ccb9ecf19fd3' last-modified='2022-07-06T17:37:26.403Z'>
    <short_description>TEST File</short_description>
    <description>TEST File</description>
    <authored_by>Roman Valenta</authored_by>
    <authored_date>2022-07-06T17:37:26.403Z</authored_date>
    <links/>
    <definition>
        <Indicator operator='OR' id='516413c2-9476-42af-90ca-2f5354be211d'>
            <IndicatorItem condition='contains' id='015e5c2b-43a3-4567-9469-4faf97f1e461'>
                <Context document='FileItem' search='FileItem/FileExtension' type='mir'/>
                <Content type='string'>txt</Content>
            </IndicatorItem>
            <Indicator operator='AND' id='a1594e35-69c0-4320-a18e-14727a5fcaa6'>
                <IndicatorItem condition='contains' id='0968b744-72a7-4239-88cb-f7414e337f51'>
                    <Context document='FileItem' search='FileItem/FileName' type='mir'/>
                    <Content type='string'>TEST</Content>
                </IndicatorItem>
            </Indicator>
        </Indicator>
    </definition>
</ioc>

 

 

  

  *   You might also find the documentation that we have available on IOCs helpful: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf

 

  *   IOC: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

 

The document states that the IOC has to be in OpenIOC format and the file that will be created in new version of IOCe is most likely in STIX format in XML. You will need to create the IOC in OpenIOC format, or you might be able to find a converter online to assist with that.

 

When this document you mentioned was created in 2015 the version was IOCe 2.2.0 the one you can download now is IOCe 3.2.0. There is possibility that in 2015 this app was still using the old formatting which is currently the only one supported in our portal.

So being said , if you want to use IOCe software you will need to download older version. I did found a place where you can get one but please make your own judgement before downloading this file or use software that can save the IOC in simple format

https://mandiant-ioce.software.informer.com/versions/

I download version 2.2.0 in to my lab and check the installer and yes it’s old from 2015 hence the certs are expired but the MSI is signed by legit CA as you can see from this screenshot. Make sure you only downloads the zip file from that site , it will ask you to install some updater just cancel that, you should end up only with this file mandiant_ioc_editor.zip


Here is pic once unpacked and check for signing certs.

RomanValenta_4-1699547632954.png

 



 

With the information Roman provided, I tested first with the newer version of OpenIOC 1.1 editor. The issue is with the xml interpreters.

This is taken from the .ioc file created using the new version:

xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="953d1903-0adc-41a2-845e-a067cbd2f7f0" last-modified="2023-11-10T15:27:32Z" published-date="0001-01-01T00:00:00" 
xmlns="http://openioc.org/schemas/OpenIOC_1.1"

When I looked at your output from the online tool from https://www.iocbucket.com/openioceditor# (URL doesn't work for me), it includes schemas.mandiant.com which I'm guessing contains the "group-id” in the Element “IndicatorItem”.

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="8885fea4-3f9e-4cf5-9459-dfc99eb2415a" last-modified="2023-11-10T16:41:37"
xmlns="http://schemas.mandiant.com/2010/ioc"

 I downloaded the older version of OpenIOC 1.0 from the fireeye marketplace (https://fireeye.market/apps/238651) and created a basic IOC and was able to successfully import it into Secure Endpoint

Installed IOC Endpoints.png

A final note:

It appears FireEye has taken over the Mandiant OpenIOC editor since the link in Mandiant's article (https://www.mandiant.com/resources/blog/openioc-basics) takes me to the fireeye marketplace.  For anyone interested, it can be downloaded here: https://fireeye.market/apps/238651 

Hope this helps anyone going down this path. 

Awesome, if that was helpful please mark the answer as well.

Thanks,
Roman