Showing posts with label IOC. Show all posts
Showing posts with label IOC. Show all posts

Monday, September 17, 2018

Free / Open Source Compromise Assessment Tools

OTX ( Open Threat Exchange ):


                                     AlienVault provides OTX Endpoint Threat Hunter and its free, fast, and simple.

AlienVault threat hunting service delivers as much threat intelligence power as OTX Endpoint Threat Hunter. It is the Open & free service that natively uses the community-powered threat intelligence of OTX to scan your endpoints for known indicators of compromise (IOCs).

OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools and DIY open source agents without the expense, complexity, or guesswork. 

How It Works
  • OTX Endpoint Threat Hunter is available to any registered Open Threat Exchange (OTX) user. It’s free to join OTX.
  • To get started, download and install the AlienVault® Agent on the Windows or Linux devices you want to monitor. The AlienVault Agent is immediately ready to find threats.
  • You can launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
  • Once launched, the AlienVault Agent executes the query, and the results of the query display on a summary page within OTX.



       is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioral patterns described in IOC (Indicator of Compromise) files. The tool is currently composed of two main components:
  • The Python Flask-based web interface, used to configure the scans and visualize their results;
  • The scanner that connects to remote targets and runs the search for IOCs.
CERTitude is an open-source tool developed by the CERT-Wavestone. It is brought to you freely, but user support is only provided on a best-effort basis.


CERTitude is compatible with a wide range of target Windows operating systems, from XP / 2003 to Windows 10 / Server 2016. Though CERTitude can be run from a Linux host, it is only fully supported on Windows as some features may not be implemented on Linux.


  • Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is searching for
  • Ability to retrieve some pieces of data from the hosts
  • Multiple scanner instances (for IOCs and/or hash scans) can be run at the same time for parallel scanning
  • Built with security considerations in mind (protected database, secure communications with hosts using IPSec)



Tuesday, August 14, 2018

Free Indicators of Compromise (IOC) Tools - FireEye

IOC Finder

FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs. IOCs are open-standard XML documents that help incident responders capture diverse information about threats.

The IOC Finder features:
  • Collection of full data, sufficient for general IOC matching requirements
  • Usage of a portable storage device for collection from multiple hosts
  • IOC hit reporting in simple text, full HTML and full MS Word XML formats
  • Generation of reports for specific hosts or all hosts

Download Link :

IOC Editor

FireEye Indicators of Compromise (IOC) Editor is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory.

The IOC Editor includes:
  • Manipulation of the logical structures that define the IOC
  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  • Conversion of IOCs into XPath filters
  • Management of lists of “terms” used within IOCs
 Download Link :

IOC Writer

IOC Writer provide a python library that allows for basic creation and editing of OpenIOC objects.

Provide a python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
Items do not have built in Read operations, since all items can be accesed with built in ElementTree syntax or the use of XPATH to select portions of the IOC.

Download Link :

Thursday, October 26, 2017

Updated IOC's - Bad Rabbit Ransomware

A new ransomware worm named "Bad Rabbit" began spreading across the world Last Tuesday (Oct. 24), and it appeared to be a much-modified version of the NotPetya worm that hit eastern Europe in June.

This ransomware attack is most likely hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled “Bad Rabbit” malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (£250) for the decryption key. The ransom demand is phrased similarly to that of June’s outbreak, and researchers at Russian security firm Kaspersky say that the malware uses “methods similar to those used” during the NotPetya attack.

Briefly about yesterday's events :

  • The initial infection was due to compromised websites and a fake update to Flash Player, which required user interaction to activate and continue exploitation (the user had to confirm the agreement to install the update);
  • Distribution on the local network was done by scanning the internal network for open SMB-open access files, as well as an attempt to use the HTTP-based WebDAV protocol based on HTTP and allowing the use of the Web as a resource for reading and writing;
  • Mimikatz was used to extract user credentials from the memory of an infected PC;
  • Legitimate DiskCryptor software used to encrypt files;
  • Types of file extensions that were encrypted on a user's PC:
#Bad-Rabbit encrypts following files: .dib.disk.djvu.doc.docx.dwg.eml.fdb .odt.ora.ost.ova.ovf.p12.p7b.p7c .tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd

Original Name 
de5c8d858e6e41da715dca1c019df0bfb92d32c0– SHA1
79116fe99f2b421c52ef64097f0f39b815b20907 – SHA1
DLL payload
DiskCryptor Driver (x64)
DiskCryptor Client
16605a4a29a101208457c47ebfde788487be788d – SHA1
Mimikatz (x64)
413eba3973a15c1a6429d9f170f3e8287f98c21c -SHA1
Mimikatz (x32)
DiskCryptor driver x86
DiskCryptor driver x86

C&C servers

Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php

Scheduled Tasks names:

In Taskschd.msc, look for and remove these tasks
  • viserion_
  • rhaegal
  • drogon

List of compromised web sites


 Distribution Paths:

  • /flash_install.php
  • /index.php

Intermediary Server:
  • 185.149.120[.]3

Hidden service:
  • caforssztxqzf2nm[.]onion

Kill Switch: to create read-only file C:\windows\infpub.dat. In case of infection files won't be encrypted

Restrict Scheduled Tasks: viserion_, rhaegal, drogon
Make backup of important data
Update operation systems and security systems
Isolate infected PCs
Block IP-addresses and domain names from Indicators list
Block inbound SMB
Use Credential Guard in Windows
Control # of admins
 Monitor scheduled tasks and service creation