This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Importing dodgy MD5 hashes into Spectrum

RSAAdmin
Beginner
Beginner
‎2013-03-20 04:39 AM

There has been a lot of noise lately about the Mandiant APT1 report which included a large number of indicators that can be detected using NetWitness.  These include domains, IP addresses as well as 3008 MD5 hashes from files found in Mandiant investigations.  These MD5s can be imported into Spectrum to elevate the badness score; ideally warning you that something needs attention.  The process is very simple but is often forgotten about.

 

This process can be repeated anytime an AV vendor or security firm release a list of hashes to the broader community.  The APT1 malware is now largely identified by antivirus (e.g. VirusTotal in Spectrum) but this same technique can be used for lesser known hash sets.

 

For example, Symantec released a report today at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromi…

 

The Symantec report includes a list of several hundred MD5 hashes that you can format into a CSV file prior to importing into Spectrum.  I've attached both the Mandiant APT1 and Symantec CSV files to this post already correctly formatted.  For reference, the file needs to be a Comma Separated Value (CSV) format with a header row.  Details on page 79 of the Spectrum manual.  Personally, I use Excel to create these CSV files because it is so easy.

 

Symantec_comment_crew_md5.png

The columns are pretty self explanatory.  Chances are you won't have the original file name so you can leave this blank.  The source column can be a reference so you know which report listed the hash.

https___10.0.1.18_resources_spectrumHelp.png

Once imported you will see the hash values (possibly thousands of them) listed in the System | Hash page.  These will be processed against any file that Spectrum looks at.

NetWitness Spectrum __ System_2013-03-20_19-06-01.png

If your Spectrum box ever spots a file that matches your bad hash set it will show up as an icon on the File or Event page.  Notice in the screen shot below that both my chosen antivirus engines and the bad hash value were triggered.  The static, community and sandbox analysis scores were all high too.   These files are probably not friendly.

 

NetWitness Spectrum __ Events_2013-03-20_19-07-42.png

Hovering over the hash icon on the Event screen shows the following information:

 

NetWitness Spectrum __ Events_2013-03-20_19-09-24.png

That is all there is to it.  The inclusion of known bad hashes can be a useful trick to help improve the scores out of Spectrum and prioritize the things you may like to investigate first.

 

Attached is a ZIP file that needs to be extracted before the two files can be imported into Spectrum.  A video of the whole process is also attached.

MD5s for Spectrum.zip
Preview file
4699 KB
MD5s for Spectrum.zip
0 Likes
6 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.