This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Hash/MD5 IOC population

JayWatson
Beginner
Beginner

‎2018-05-16 02:15 PM

If I have Malware appliance that is already calculating the hash of a file, would there be a way to populate the system on a continual basis similar to a feed and set it as a blacklist, therefore alerting when a particular hash/md5 is identified?

 

I understand that MD5/Hash is not part of the traffic flow, but if the Malware appliance is calculating this upon file discovery, my question is can we leverage this in a way that is custom to our own environment and IOCs? Similar to way that an AV product can.

0 Likes
6 REPLIES 6

EricPartington
Employee
Employee

‎2018-05-16 02:20 PM

You want to import hashes to the MA appliance and flag on hash match? Or you want to take the hash of files that end up in MA and use that somewhere else?

0 Likes

JayWatson
Beginner
Beginner
In response to EricPartington

‎2018-05-16 02:23 PM

Hi Eric

 

Thanks for replying.  I would like to import hashes to the MA and flag on any matches if possible. 

0 Likes

EricPartington
Employee
Employee

‎2018-05-16 02:32 PM

0 Likes

JayWatson
Beginner
Beginner
In response to EricPartington

‎2018-05-16 02:46 PM

Okay thanks. I suppose where I'm stumped is trying to link the MD5/HASH to additional added Meta values. Perhaps this is a limitation. 

 

Ultimately I would like to import a list similar to a feed where the MD5 could then be a pointer to additional meta keys. For example:

 

MD5 = 74cdsdb5a8797b159e71ba1717ff1sef

 

is added to the MA as being an untrusted hash. When this triggers I would like it to reference additional meta values that are associated and have been populated as a custom feed to NW. The trouble I'm seeing is that without indexing of hash/MD5 values this seems to handled differently in NW as the M5D/hash is not considered official NW meta. Am I wrong?

 

Meta Keys (associated IOC data)

IOC Threat Reference Number (threat.ref) = IOC-123445

IOC Threat Date (threat.date) = May 16 2018

ICO Type (ioc.type) = MD5

IOC source (ioc.src) = in-house

0 Likes

EricPartington
Employee
Employee
In response to JayWatson

‎2018-05-16 03:31 PM

Add the hash list to MA, if you get a match the output will come via CEF message to a log decoder (the cef.xml is getting updated to add all three hashes that come from MA).  You can index checksum if the only thing that might fill it is MA hits and then have your feed read that key for matches based on your feed as described above to write out values to your IOC keys.

 

Any hash that is added to MA, add to your feed and if there is a hit then a match will show up in logs with the associated IOC values.

0 Likes

JayWatson
Beginner
Beginner
In response to EricPartington

‎2018-05-23 06:56 AM

Unfortunately I do not have a log decoder or license. Appreciate the help nonetheless.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.