Content pack for Mandiant APT1-listed FQDNs

Hi all,

As a quick exercise, I decided to write a monitoring pack for the FQDNs in the Mandiant APT1 report, pubilshed here. In the Appendices they publish all the rules and signatures related to the research. A relatively quick win from this was to take the list of suspicious domain names they publish, and put it in an active list with a few rules.

I'm not aware of any restrictions on using the content in this way - there are no licence terms on the site and the intent appears to be to openly share this information - but please let me know if you know differently.

The pack is very simple - it looks for any event that shows the listed FQDNs (around 250 in total) in the Attacker HostName or Target HostName, as an exact match. If found, then the internal address (determined as the opposite to the blacklisted FQDN!) is added to another active watchlist. That watchlist then populates some DMs in a dashboard, including an event graph and last N event monitor.

The content is always inside ./Jumpstart/Mandiant APT1 indicators in each resource type. To use, simply install the package and open the single dashboard there. There are no alerts/notifications, although these can be added easily.

Note there is also no warranty or support provided with this; it's simple enough, but install at your own risk. This is my personal work, shared in good faith with the community, and not a product of HP/ArcSight.

Finally - if you have RepSM or TIppingPoint RepDV, then the FQDNs should already be in your domain lists, if it has automatically updated.

Feedback/improvements welcome. I'd be interested to see whether any other indicators could be added - possibly some listed services starting, firewall patterns, or file modifications/system events picked up by FIM tools.

Cheers!

Damian