Under Review

Blacklisting individual IOCs, (ie. hashes, IPs)

  • 23 May 2019
  • 0 replies

Badge +2
  1. blacklist is currently off by default, this is not good. it should be on by default
  2. the blacklist only applies to exe files. it needs to apply to all files as the latest threats all come in via encrypted ZIPs, DOC or XLS files with macros, PS1 files etc.
  3. we should have the ability to block all files with a certain extension as well. this would make it useful as a make shift application blacklist.
  4. during incident response being able to block all IOCs make it easier to contain the incident. so blocking an MD5 regardless of what file format it is would be critical.
All of the above would be very useful during incident response to block the actual execution chain rather than just the last step of it like the following which was a real incident we handled.
user got a password protected zip (this bypassed spam filter scanning), needless to say, but the user executed everything.
the zip contained a DOCX file with a Marco
the marco ran CMD to launch a powershell script (avoiding Powershell script blocking)
connected to command and control server
downloaded payload
this file could potentially change many times daily so blocking this file is pointless, but the DOCX file and the ZIP were actually downloaded on the computer so the best idea to stop the spread of this would be to block the actual file, block the IP to the command and control server on the firewall (will only work for user that are on site, webroot would also work for remote users).

0 replies

Be the first to reply!