Perform Endpoint IOC Scans with AMP for Endpoints or FireAMP

Available Languages

Download Options

  • PDF     (433.6 KB)
    View with Adobe Reader on a variety of devices
Updated:April 8, 2015
Document ID:118899

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to create an Indication of Compromise (IOC) signature file via the Mandiant IOC editor, how to upload it to the Cisco FireAMP dashboard, and how to initiate an endpoint IOC scan.

Prerequisites

Requirements

Cisco recommends that you have at least one gigabyte of free drive space before you attempt to run the endpoint IOC scans.

Components Used

The information in this document is based on the endpoint IOC scanner, which is available in the Cisco FireAMP Windows Connector Versions 4.0.2 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The endpoint IOC scanner feature is a powerful incident response tool that is used in order to scan post-compromise indicators across multiple computers.

Note: Although FireAMP supports IOCs with the Mandiant language, the Mandiant IOC Editor software itself is not developed or supported by Cisco. Cisco support does not troubleshoot user-created or third-party IOCs.

IOC Signature Files

The IOC signature file is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker methodology, or other evidence of compromise.

You can import endpoint IOCs through the console from OpenIOC-based files that are written in order to trigger on file properties such as name, size, and hash, as well as other attributes and system properties such as process information, running services, and Microsoft Windows Registry entries. The IOC syntax can be used by incident responders in order to find specific artifacts or in order to use logic to create sophisticated, correlated detections for families of malware.

Run a Scan on an IOC Signature File

There are three steps that you must complete in order to run a scan on a IOC signature file:

  1. Create an IOC signature file.
  2. Upload the IOC signature file.
  3. Initiate a scan.

These steps are expanded upon in the sections that follow.

Create an IOC Signature File

Note: In this example, the Mandiant IOC editor is used in order to build an IOC signature file for a text file named test.txt.

Complete these steps in order to create an IOC signature file:

  1. Open the IOCe and navigate to File > New > Indicator. This provides a blank workspace so that you can begin to build an IOC.



    Note: In order to create an IOC for something specific, use binary logic with the properties. The initial operator is an OR, which is the simplest base to work from. This allows the initial function of the IOC to work, so you are not required to change it. It is required that an IOC signature file has at least two properties or conditions in order to use it successfully in a scan.


  2. Click the Items drop-down menu in order to add operators. The first property that you should add is File Extension contains. Find the property in the Items tree menu and click it.

  3. After you add a property, click the small icon on the far right side of the screen in order to open the Configuration pane. Within this pane, use the Content field in order to match a file extension. For example, add txt in order to match the test.txt text file:



  4. You must now add a logic operator. In this example, you will match the test text file. In order to match this, use an AND operator and add the next property. Locate the file name and select it from the Items tree menu. In the Properties pane, add the name of the file that you want to find. For example, add test in the Content field:



  5. Since no additional properties are necessary for this simple IOC, you can now save the file. Click File > Save, and a signature file with a .ioc extension is saved on the system:

Upload an IOC Signature File

In order to perform a scan, you must upload an IOC file to the FireAMP dashboard. You can use an IOC signature file, an XML file, or a zip archive that contains multiple IOC files. The dashboard decompresses and parses the file with the IOC signatures. You are notified if an incorrect syntax or an unsupported property is used.

Tip: You can upload files that are up to five megabytes in size.

Complete these steps in order to upload the IOC signature file to the FireAMP dashboard:

  1. Log into the FireAMP Cloud Console and navigate to Outbreak Control > Installed Endpoint IOC.

  2. Click Upload, and the Upload Endpoint IOCs window appears:



    After an IOC signature file is uploaded successfully, the signature appears on the list:



  3. Click View in order to view the actual XML data of the signature:

Initiate a Scan

After you upload a signature file, perform a full scan. The first scan must be a full scan because it must build a catalog of metadata for the entire computer, which can take 1–2 hours. You can perform a flash scan after the system is cataloged through a full scan.

Note: The full scan is very CPU intensive. Cisco recommends that you do not run a full scan on a PC while it is in use. If you plan to use the feature regularly, you can perform a full scan once a month in order to rebuild the catalog.

There are two different methods that you can use in order to run an IOC scan. The first method is to perform an immediate scan from an event or from the dashboard. This is triggered the next time that a PC sends a heartbeat to the Cloud.

Note: If this is the first time that you run the full scan, you are not required to check the Re-catalog before scan option.

The second method is to create a scheduled endpoint IOC scan from the Outbreak Control menu of the dashboard. This option might be ideal when you desire to perform scans during off-peak hours. You must provide the credentials of an account that has permission on the given computer in order to create scheduled tasks and allow the Log on as Batch group policy permission.

When you schedule an endpoint IOC scan, this warning message appears:

The next time that your PC sends a heartbeat, and if your credentials are valid, you should see a job similar to this in the Windows Task Scheduler:

When the scan begins, this message appears:

Note: If the GUI is configured to be hidden, then you do not see the System Cataloging notice. 

When the scan is complete, you are able to view the Endpoint IOC Scan Detection Summary. This example shows a match for the test.txt IOC signature file:

Revision History

Revision Publish Date Comments
1.0
08-Apr-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Nazmul Rajib and Alex Dipasquale
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products