Highlighted
dskeeles@hpe.co1 Absent Member.
Absent Member.
1203 views

Content pack for Mandiant APT1-listed FQDNs

Hi all,

As a quick exercise, I decided to write a monitoring pack for the FQDNs in the Mandiant APT1 report, pubilshed here. In the Appendices they publish all the rules and signatures related to the research. A relatively quick win from this was to take the list of suspicious domain names they publish, and put it in an active list with a few rules.

I'm not aware of any restrictions on using the content in this way - there are no licence terms on the site and the intent appears to be to openly share this information - but please let me know if you know differently.

The pack is very simple - it looks for any event that shows the listed FQDNs (around 250 in total) in the Attacker HostName or Target HostName, as an exact match. If found, then the internal address (determined as the opposite to the blacklisted FQDN!) is added to another active watchlist. That watchlist then populates some DMs in a dashboard, including an event graph and last N event monitor.

The content is always inside ./Jumpstart/Mandiant APT1 indicators in each resource type. To use, simply install the package and open the single dashboard there. There are no alerts/notifications, although these can be added easily.

Note there is also no warranty or support provided with this; it's simple enough, but install at your own risk. This is my personal work, shared in good faith with the community, and not a product of HP/ArcSight.

Finally - if you have RepSM or TIppingPoint RepDV, then the FQDNs should already be in your domain lists, if it has automatically updated.

Feedback/improvements welcome. I'd be interested to see whether any other indicators could be added - possibly some listed services starting, firewall patterns, or file modifications/system events picked up by FIM tools.

Cheers!

Damian

Labels (1)
Tags (2)
13 Replies
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Content pack for Mandiant APT1-listed FQDNs

Hi damian, thanx for that.

In addition to the FQDN's I have simply added the associated net blocks to the fillters and some of the files mentioned in the appedix of the report.

Screen shot 2013-02-24 at 8.24.46 PM.png

These net blocks were involved in communications to their hop/bounce points.

Screen shot 2013-02-24 at 8.29.37 PM.png

A lot more logic could be added to the pack if you read the report and appendix, but takes some time to go through.

Especially around the workings of the used malware used in the attacks.

Maybe someone already created logic to detect the the used malware kits (behavior wise)?

rgds,

Steven

0 Likes
Reply
dskeeles@hpe.co1 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

Thanks Steven,

That's a good idea to simply start off with a filename filter. I spent a little time thinking about what kind of products or likely OS monitoring configs would be able to pick these up, but wasn't sure if there were any definite candidates, as a vanilla FIM template, OS monitoring, etc. might not include the relevant paths/files. I hadn't thought of this approach; if those filenames do turn up, whether it be from FIM, AV, OS file, OS service monitoring, NGFW/IPS or anything else, then it at least pops up in the dashboard. Nice! Thanks!

Also - these are more likely to crop up, since I assume those domains have been torn down by now.

Damian

0 Likes
Reply
Established Member.. bomusula1
Established Member..

Re: Content pack for Mandiant APT1-listed FQDNs

Anyone getting import failure error?  "Element type "timePartitioned" must be declared.

how can i go round this?

0 Likes
Reply
dskeeles@hpe.co1 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

Hmm. Could be your ESM version. I created it on Express 3.0; what are you importing it to?

0 Likes
Reply
Established Member.. bomusula1
Established Member..

Re: Content pack for Mandiant APT1-listed FQDNs

Im using express version 5...

Further, from where can i obtain the mir script?  The script is mentioned in the pdf @ https://protect724.arcsight.com/message/28528#28528

0 Likes
Reply
brianc2 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

"MIR" is a mandiant product/appliance, not a script afaik

0 Likes
Reply
dskeeles@hpe.co1 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

OK, I think Steven edited the ARB in ESM 6.0, so his version isn't compatible with Express 3 any more

0 Likes
Reply
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Content pack for Mandiant APT1-listed FQDNs

Ow yes didnt realize that.

I indeed imported and edited it in 6c.

Express isnt compatible with 6c because of the time-partitioned active

lists. Ill try to convert it back to esm 5.

Rgds steven.

0 Likes
Reply
danje571
New Member.

Re: Content pack for Mandiant APT1-listed FQDNs

I've a quick review of your modified package, are sure about the network maks used? /7 /4

0 Likes
Reply
karl2k1 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

I really appreciate your work.  I realize that searching by target hostname will cover most bases if the target address changes.

however, it can leave a gaping hole when reverse DNS fails to lookup the domain and only the target address field is populated. how can you ensure that the lookup will take place?

i'm just curious as to how the lookup is done to begin with.  Is it that every IP address coming in the connector contacts internal DNS to grab hostnames?  What we are seeing is that 2/3 of external hostnames are not being populated.  Can you add an additional external DNS lookup server?

0 Likes
Reply
dskeeles@hpe.co1 Absent Member.
Absent Member.

Re: Content pack for Mandiant APT1-listed FQDNs

That's correct, in that the IP will be reverse-looked-up to get hostnames. If it's not working, it could be that the DNS query is timing out. The lookup is done at the connector - if software, then it uses the DNS in the OS. If appliance, then you configure it in the UI.

Looking up every host/address can of course place a huge load on the DNS infrastructure; there are configurable parameters in the agent.properties file for DNS cache lifespan, duration, etc. It can be sometimes be worth setting up a dedicated DNS server for ArcSight appliances where you can exert more control over the lookups, lookup route, etc. YMMV!

Damian

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.