RubyIOC 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +19 -19
- data/Gemfile +3 -3
- data/Rakefile +7 -7
- data/RubyIOC.gemspec +24 -24
- data/iocaware.iocterms +12 -0
- data/lib/RubyIOC.rb +38 -38
- data/lib/RubyIOC/iocitem/arp_entry_item.rb +86 -1
- data/lib/RubyIOC/iocitem/dns_entry_item.rb +47 -11
- data/lib/RubyIOC/iocitem/event_log_item.rb +49 -0
- data/lib/RubyIOC/iocitem/port_item.rb +117 -0
- data/lib/RubyIOC/iocitem/service_item.rb +100 -0
- data/lib/RubyIOC/iocitem/user_item.rb +1 -1
- data/lib/RubyIOC/iocitem/volume_item.rb +65 -0
- data/lib/RubyIOC/platform.rb +2 -2
- data/lib/RubyIOC/scanner.rb +15 -28
- data/lib/RubyIOC/version.rb +15 -15
- data/test/test_arp_entry_item.ioc +57 -0
- data/test/test_dns_entry_item.ioc +26 -5
- data/test/test_event_log_item.ioc +55 -0
- data/test/test_port_item.ioc +51 -0
- data/test/test_scan.rb +29 -4
- data/test/test_service_item.ioc +143 -0
- data/test/test_user_item.ioc +9 -8
- data/test/test_volume_item.ioc +63 -0
- metadata +16 -5
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="us-ascii"?>
|
|
2
|
+
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="9cbcf8e7-eded-4804-8bfe-51b8af0a4657" last-modified="2013-08-04T03:43:14" xmlns="http://schemas.mandiant.com/2010/ioc">
|
|
3
|
+
<short_description>*PortItem Entry Test IOC*</short_description>
|
|
4
|
+
<authored_by>IOCAware</authored_by>
|
|
5
|
+
<authored_date>2013-08-02T04:10:39</authored_date>
|
|
6
|
+
<links />
|
|
7
|
+
<definition>
|
|
8
|
+
<Indicator operator="OR" id="6d0f71b6-bff6-4870-8762-5f355df147e9">
|
|
9
|
+
<IndicatorItem id="f9a767af-82ee-440c-a7f5-c28665d0a1c6" condition="is">
|
|
10
|
+
<Context document="PortItem" search="PortItem/CreationTime" type="mir" />
|
|
11
|
+
<Content type="date" />
|
|
12
|
+
</IndicatorItem>
|
|
13
|
+
<IndicatorItem id="90d19f3b-c144-4772-ac2d-9467e1176d85" condition="contains">
|
|
14
|
+
<Context document="PortItem" search="PortItem/localIP" type="mir" />
|
|
15
|
+
<Content type="string">0.0.0.0</Content>
|
|
16
|
+
</IndicatorItem>
|
|
17
|
+
<IndicatorItem id="7d7257a7-357e-4093-9310-995b7850525a" condition="is">
|
|
18
|
+
<Context document="PortItem" search="PortItem/localPort" type="mir" />
|
|
19
|
+
<Content type="int">2968</Content>
|
|
20
|
+
</IndicatorItem>
|
|
21
|
+
<IndicatorItem id="6e0d0aa9-3181-4d03-901f-b777b0c96ed3" condition="contains">
|
|
22
|
+
<Context document="PortItem" search="PortItem/path" type="mir" />
|
|
23
|
+
<Content type="string" />
|
|
24
|
+
</IndicatorItem>
|
|
25
|
+
<IndicatorItem id="16aec65b-30f5-4504-8b4a-d7edd6d04725" condition="is">
|
|
26
|
+
<Context document="PortItem" search="PortItem/pid" type="mir" />
|
|
27
|
+
<Content type="int">584460</Content>
|
|
28
|
+
</IndicatorItem>
|
|
29
|
+
<IndicatorItem id="5cb46c09-10f5-4456-826a-1edb1fc78173" condition="contains">
|
|
30
|
+
<Context document="PortItem" search="PortItem/process" type="mir" />
|
|
31
|
+
<Content type="string">EEventManager.exe</Content>
|
|
32
|
+
</IndicatorItem>
|
|
33
|
+
<IndicatorItem id="d4f3b040-ea8d-460a-9c95-fc2a0966e060" condition="contains">
|
|
34
|
+
<Context document="PortItem" search="PortItem/protocol" type="mir" />
|
|
35
|
+
<Content type="string">TCP</Content>
|
|
36
|
+
</IndicatorItem>
|
|
37
|
+
<IndicatorItem id="6331786b-a690-41df-aea4-61071945b10d" condition="contains">
|
|
38
|
+
<Context document="PortItem" search="PortItem/remoteIP" type="mir" />
|
|
39
|
+
<Content type="IP">0.0.0.0</Content>
|
|
40
|
+
</IndicatorItem>
|
|
41
|
+
<IndicatorItem id="de2df8fd-ed8d-4c04-8f83-b3a907866d1d" condition="is">
|
|
42
|
+
<Context document="PortItem" search="PortItem/remotePort" type="mir" />
|
|
43
|
+
<Content type="int">0</Content>
|
|
44
|
+
</IndicatorItem>
|
|
45
|
+
<IndicatorItem id="de709789-31bd-4ff1-899e-11e16ae8cb55" condition="contains">
|
|
46
|
+
<Context document="PortItem" search="PortItem/state" type="mir" />
|
|
47
|
+
<Content type="string">LISTENING</Content>
|
|
48
|
+
</IndicatorItem>
|
|
49
|
+
</Indicator>
|
|
50
|
+
</definition>
|
|
51
|
+
</ioc>
|
data/test/test_scan.rb
CHANGED
|
@@ -3,14 +3,39 @@ require "RubyIOC"
|
|
|
3
3
|
|
|
4
4
|
class TestScan < Test::Unit::TestCase
|
|
5
5
|
def test_scan
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
6
|
+
find_windows_ioc = File.expand_path(File.dirname(__FILE__)) + "/find_windows.ioc"
|
|
7
|
+
test_user_item = File.expand_path(File.dirname(__FILE__)) + "/test_user_item.ioc"
|
|
8
|
+
RubyIOC::Scanner.new(File.read(test_user_item)).scan
|
|
9
|
+
#puts RubyIOC::Scanner.new(File.read(test_user_item)).scan
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def test_dns_scan
|
|
13
13
|
dns_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_dns_entry_item.ioc"
|
|
14
14
|
RubyIOC::Scanner.new(File.read(dns_test_ioc)).scan
|
|
15
15
|
end
|
|
16
|
+
|
|
17
|
+
def test_arp_scan
|
|
18
|
+
arp_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_arp_entry_item.ioc"
|
|
19
|
+
RubyIOC::Scanner.new(File.read(arp_test_ioc)).scan
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def test_event_log
|
|
23
|
+
event_log_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_event_log_item.ioc"
|
|
24
|
+
RubyIOC::Scanner.new(File.read(event_log_test_ioc)).scan
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def test_port_item
|
|
28
|
+
port_item_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_port_item.ioc"
|
|
29
|
+
RubyIOC::Scanner.new(File.read(port_item_test_ioc)).scan
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def test_volume_item
|
|
33
|
+
volume_item_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_volume_item.ioc"
|
|
34
|
+
RubyIOC::Scanner.new(File.read(volume_item_test_ioc)).scan
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def test_service_item
|
|
38
|
+
service_item_test_ioc = File.expand_path(File.dirname(__FILE__)) + "/test_service_item.ioc"
|
|
39
|
+
RubyIOC::Scanner.new(File.read(service_item_test_ioc)).scan
|
|
40
|
+
end
|
|
16
41
|
end
|
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="us-ascii"?>
|
|
2
|
+
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="44cd6057-0313-4d10-9d4e-ea457de93964" last-modified="2013-08-09T19:04:15" xmlns="http://schemas.mandiant.com/2010/ioc">
|
|
3
|
+
<short_description>*Service Entry Test IOC*</short_description>
|
|
4
|
+
<authored_by>IOCAware</authored_by>
|
|
5
|
+
<authored_date>2013-08-07T18:05:53</authored_date>
|
|
6
|
+
<links />
|
|
7
|
+
<definition>
|
|
8
|
+
<Indicator operator="OR" id="e3aa1508-a120-46bb-a015-966d2f7f53a7">
|
|
9
|
+
<IndicatorItem id="046c285e-f929-49f9-9a5e-cc0ee7d3deb0" condition="contains">
|
|
10
|
+
<Context document="ServiceItem" search="ServiceItem/arguments" type="mir" />
|
|
11
|
+
<Content type="string">/Embedding</Content>
|
|
12
|
+
</IndicatorItem>
|
|
13
|
+
<IndicatorItem id="7d8e279e-bac1-4bcd-951b-52deadc42af4" condition="contains">
|
|
14
|
+
<Context document="ServiceItem" search="ServiceItem/description" type="mir" />
|
|
15
|
+
<Content type="string">Provides content indexing</Content>
|
|
16
|
+
</IndicatorItem>
|
|
17
|
+
<IndicatorItem id="5abb6bf1-4fe1-4ae5-b94c-bb7309100d29" condition="is">
|
|
18
|
+
<Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir" />
|
|
19
|
+
<Content type="string">Windows Search</Content>
|
|
20
|
+
</IndicatorItem>
|
|
21
|
+
<IndicatorItem id="3a351f3d-71a7-4b98-8741-8dfe7bcabec6" condition="contains">
|
|
22
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLL" type="mir" />
|
|
23
|
+
<Content type="string" />
|
|
24
|
+
</IndicatorItem>
|
|
25
|
+
<IndicatorItem id="ae6dd1b2-c84c-49bd-bd36-aead64262d68" condition="contains">
|
|
26
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLCertificateIssuer" type="mir" />
|
|
27
|
+
<Content type="string" />
|
|
28
|
+
</IndicatorItem>
|
|
29
|
+
<IndicatorItem id="57758373-6472-4f9e-b1b6-43fbb04694a9" condition="contains">
|
|
30
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLCertificateSubject" type="mir" />
|
|
31
|
+
<Content type="string" />
|
|
32
|
+
</IndicatorItem>
|
|
33
|
+
<IndicatorItem id="96238371-c135-4876-a87e-3385c69c48a6" condition="is">
|
|
34
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLmd5sum" type="mir" />
|
|
35
|
+
<Content type="md5" />
|
|
36
|
+
</IndicatorItem>
|
|
37
|
+
<IndicatorItem id="0e672a9f-165b-4b23-b29e-8913d366fa26" condition="is">
|
|
38
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLsha1sum" type="mir" />
|
|
39
|
+
<Content type="string" />
|
|
40
|
+
</IndicatorItem>
|
|
41
|
+
<IndicatorItem id="0cb68a9c-2cd9-4af5-83f7-acae52291970" condition="is">
|
|
42
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLsha256sum" type="mir" />
|
|
43
|
+
<Content type="string" />
|
|
44
|
+
</IndicatorItem>
|
|
45
|
+
<IndicatorItem id="6f8cfb60-a6e2-4cc6-8612-2143b3ac4017" condition="contains">
|
|
46
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureDescription" type="mir" />
|
|
47
|
+
<Content type="string" />
|
|
48
|
+
</IndicatorItem>
|
|
49
|
+
<IndicatorItem id="bc465ae2-44a2-4e15-98b2-35757575840d" condition="is">
|
|
50
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir" />
|
|
51
|
+
<Content type="string" />
|
|
52
|
+
</IndicatorItem>
|
|
53
|
+
<IndicatorItem id="be4e9539-1384-472a-a824-3a2af54ef59a" condition="is">
|
|
54
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureExists" type="mir" />
|
|
55
|
+
<Content type="string" />
|
|
56
|
+
</IndicatorItem>
|
|
57
|
+
<IndicatorItem id="1c992a6c-07ba-4115-8331-c35a132b697b" condition="is">
|
|
58
|
+
<Context document="ServiceItem" search="ServiceItem/mode" type="mir" />
|
|
59
|
+
<Content type="string">SERVICE_AUTO_START</Content>
|
|
60
|
+
</IndicatorItem>
|
|
61
|
+
<IndicatorItem id="4d0478bd-71a2-484e-83df-cacda3a3ffc6" condition="is">
|
|
62
|
+
<Context document="ServiceItem" search="ServiceItem/name" type="mir" />
|
|
63
|
+
<Content type="string">WSearch</Content>
|
|
64
|
+
</IndicatorItem>
|
|
65
|
+
<IndicatorItem id="95bc9446-cc36-4600-ae30-94d951173cd4" condition="contains">
|
|
66
|
+
<Context document="ServiceItem" search="ServiceItem/path" type="mir" />
|
|
67
|
+
<Content type="string">C:\Windows\system32\SearchIndexer.exe</Content>
|
|
68
|
+
</IndicatorItem>
|
|
69
|
+
<IndicatorItem id="19af4a09-08da-45a0-93db-1533e3c6401f" condition="contains">
|
|
70
|
+
<Context document="ServiceItem" search="ServiceItem/pathCertificateIssuer" type="mir" />
|
|
71
|
+
<Content type="string" />
|
|
72
|
+
</IndicatorItem>
|
|
73
|
+
<IndicatorItem id="4fa46f05-4f61-40cd-b934-c78964089a1d" condition="contains">
|
|
74
|
+
<Context document="ServiceItem" search="ServiceItem/pathCertificateSubject" type="mir" />
|
|
75
|
+
<Content type="string" />
|
|
76
|
+
</IndicatorItem>
|
|
77
|
+
<IndicatorItem id="fe82a84e-527c-4ed4-a28a-503ed354a10a" condition="is">
|
|
78
|
+
<Context document="ServiceItem" search="ServiceItem/pathmd5sum" type="mir" />
|
|
79
|
+
<Content type="md5" />
|
|
80
|
+
</IndicatorItem>
|
|
81
|
+
<IndicatorItem id="4e7af7d7-85e7-4fce-afe4-e9643a0fcafd" condition="is">
|
|
82
|
+
<Context document="ServiceItem" search="ServiceItem/pathsha1sum" type="mir" />
|
|
83
|
+
<Content type="string" />
|
|
84
|
+
</IndicatorItem>
|
|
85
|
+
<IndicatorItem id="392d1680-61af-428b-99b6-ca457d25eb92" condition="is">
|
|
86
|
+
<Context document="ServiceItem" search="ServiceItem/pathsha256sum" type="mir" />
|
|
87
|
+
<Content type="string" />
|
|
88
|
+
</IndicatorItem>
|
|
89
|
+
<IndicatorItem id="91496c5a-2d5d-46a7-ba29-252ed6d593f2" condition="contains">
|
|
90
|
+
<Context document="ServiceItem" search="ServiceItem/pathSignatureDescription" type="mir" />
|
|
91
|
+
<Content type="string" />
|
|
92
|
+
</IndicatorItem>
|
|
93
|
+
<IndicatorItem id="fe3d3a16-8ac5-4a80-9ecc-5a0f922e60a4" condition="is">
|
|
94
|
+
<Context document="ServiceItem" search="ServiceItem/pathSignatureExists" type="mir" />
|
|
95
|
+
<Content type="string" />
|
|
96
|
+
</IndicatorItem>
|
|
97
|
+
<IndicatorItem id="9e46d045-6336-4950-b742-8904ec37e44b" condition="is">
|
|
98
|
+
<Context document="ServiceItem" search="ServiceItem/pathSignatureVerified" type="mir" />
|
|
99
|
+
<Content type="string" />
|
|
100
|
+
</IndicatorItem>
|
|
101
|
+
<IndicatorItem id="1b5e0645-dc77-4c00-8f2a-6bafb44eab73" condition="is">
|
|
102
|
+
<Context document="ServiceItem" search="ServiceItem/pid" type="mir" />
|
|
103
|
+
<Content type="int">3656</Content>
|
|
104
|
+
</IndicatorItem>
|
|
105
|
+
<IndicatorItem id="44766230-8c7c-47c0-89f8-aca65b74983c" condition="is">
|
|
106
|
+
<Context document="ServiceItem" search="ServiceItem/startedAs" type="mir" />
|
|
107
|
+
<Content type="string">LocalSystem</Content>
|
|
108
|
+
</IndicatorItem>
|
|
109
|
+
<IndicatorItem id="09b027f9-5d61-4ea0-b7ba-bf0a63b5ac26" condition="is">
|
|
110
|
+
<Context document="ServiceItem" search="ServiceItem/status" type="mir" />
|
|
111
|
+
<Content type="string">SERVICE_RUNNING</Content>
|
|
112
|
+
</IndicatorItem>
|
|
113
|
+
<IndicatorItem id="d8ac4411-a8c9-4808-965e-1436ec9ebc28" condition="is">
|
|
114
|
+
<Context document="ServiceItem" search="ServiceItem/type" type="mir" />
|
|
115
|
+
<Content type="string">SERVICE_WIN32_OWN_PROCESS</Content>
|
|
116
|
+
</IndicatorItem>
|
|
117
|
+
<IndicatorItem id="f46a073c-2e04-4772-8dab-6cdd21bc5511" condition="is">
|
|
118
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLMd54Ksum" type="network" />
|
|
119
|
+
<Content type="md5" />
|
|
120
|
+
</IndicatorItem>
|
|
121
|
+
<IndicatorItem id="cba63714-3fd0-486f-b914-ddbe9a8af57d" condition="contains">
|
|
122
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLSha512Sum" type="network" />
|
|
123
|
+
<Content type="string" />
|
|
124
|
+
</IndicatorItem>
|
|
125
|
+
<IndicatorItem id="2bb62d3e-09b9-4676-afa5-a5ef7b81c045" condition="contains">
|
|
126
|
+
<Context document="ServiceItem" search="ServiceItem/serviceDLLSsdeep" type="network" />
|
|
127
|
+
<Content type="string" />
|
|
128
|
+
</IndicatorItem>
|
|
129
|
+
<IndicatorItem id="e5f2e937-347f-4ae7-83a3-3481c92ea90e" condition="is">
|
|
130
|
+
<Context document="ServiceItem" search="ServiceItem/pathMd54ksum" type="network" />
|
|
131
|
+
<Content type="md5" />
|
|
132
|
+
</IndicatorItem>
|
|
133
|
+
<IndicatorItem id="cdece8ce-2857-4a5a-858b-bca46513ef7d" condition="contains">
|
|
134
|
+
<Context document="ServiceItem" search="ServiceItem/pathSha512sum" type="network" />
|
|
135
|
+
<Content type="string" />
|
|
136
|
+
</IndicatorItem>
|
|
137
|
+
<IndicatorItem id="d5ff3870-c0ea-441e-98e5-d4581c5924fd" condition="contains">
|
|
138
|
+
<Context document="ServiceItem" search="ServiceItem/pathSsdeep" type="network" />
|
|
139
|
+
<Content type="string" />
|
|
140
|
+
</IndicatorItem>
|
|
141
|
+
</Indicator>
|
|
142
|
+
</definition>
|
|
143
|
+
</ioc>
|
data/test/test_user_item.ioc
CHANGED
|
@@ -1,28 +1,29 @@
|
|
|
1
1
|
<?xml version="1.0" encoding="us-ascii"?>
|
|
2
|
-
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-
|
|
3
|
-
<short_description>*
|
|
2
|
+
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-08-04T03:44:46" xmlns="http://schemas.mandiant.com/2010/ioc">
|
|
3
|
+
<short_description>*User Item Test IOC*</short_description>
|
|
4
|
+
<authored_by>IOCAware</authored_by>
|
|
4
5
|
<authored_date>2013-01-07T01:25:50</authored_date>
|
|
5
6
|
<links />
|
|
6
7
|
<definition>
|
|
7
8
|
<Indicator operator="OR" id="336a594b-3302-4ac8-9512-4f329d660515">
|
|
9
|
+
<IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
|
|
10
|
+
<Context document="UserItem" search="UserItem/username" type="mir" />
|
|
11
|
+
<Content type="string">Guest</Content>
|
|
12
|
+
</IndicatorItem>
|
|
8
13
|
<Indicator operator="AND" id="336a594b-3302-4ac8-9512-4f329d660515">
|
|
9
14
|
<IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
|
|
10
15
|
<Context document="UserItem" search="UserItem/username" type="mir" />
|
|
11
16
|
<Content type="string">Guest</Content>
|
|
12
17
|
</IndicatorItem>
|
|
13
18
|
<IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
|
|
14
|
-
|
|
15
|
-
<Content type="string"
|
|
19
|
+
<Context document="UserItem" search="UserItem/fullname" type="mir" />
|
|
20
|
+
<Content type="string" />
|
|
16
21
|
</IndicatorItem>
|
|
17
22
|
<IndicatorItem id="ff27c0d0-08db-4223-afa1-cc6269fb2b25" condition="contains">
|
|
18
23
|
<Context document="UserItem" search="UserItem/disabled" type="mir" />
|
|
19
24
|
<Content type="string">true</Content>
|
|
20
25
|
</IndicatorItem>
|
|
21
26
|
</Indicator>
|
|
22
|
-
<IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
|
|
23
|
-
<Context document="UserItem" search="UserItem/username" type="mir" />
|
|
24
|
-
<Content type="string">Guest</Content>
|
|
25
|
-
</IndicatorItem>
|
|
26
27
|
</Indicator>
|
|
27
28
|
</definition>
|
|
28
29
|
</ioc>
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="us-ascii"?>
|
|
2
|
+
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="6d598961-1ab6-49db-b230-de5ed2ba42f7" last-modified="2013-08-04T16:11:08" xmlns="http://schemas.mandiant.com/2010/ioc">
|
|
3
|
+
<short_description>*Volume Item Test IOC*</short_description>
|
|
4
|
+
<authored_by>IOCAware</authored_by>
|
|
5
|
+
<authored_date>2013-08-04T04:01:57</authored_date>
|
|
6
|
+
<links />
|
|
7
|
+
<definition>
|
|
8
|
+
<Indicator operator="OR" id="3c503fa2-26d5-4b02-b612-60cf62208fd9">
|
|
9
|
+
<IndicatorItem id="e52f0363-e22b-46df-b724-4dde0c99d2e6" condition="is">
|
|
10
|
+
<Context document="VolumeItem" search="VolumeItem/ActualAvailableAllocationUnits" type="mir" />
|
|
11
|
+
<Content type="int">27948756992</Content>
|
|
12
|
+
</IndicatorItem>
|
|
13
|
+
<IndicatorItem id="52071826-283a-420a-a89b-87d06879740f" condition="is">
|
|
14
|
+
<Context document="VolumeItem" search="VolumeItem/BytesPerSector" type="mir" />
|
|
15
|
+
<Content type="int">4096</Content>
|
|
16
|
+
</IndicatorItem>
|
|
17
|
+
<IndicatorItem id="562b90eb-0642-4c9d-8d89-25f4060c8f79" condition="is">
|
|
18
|
+
<Context document="VolumeItem" search="VolumeItem/CreationTime" type="mir" />
|
|
19
|
+
<Content type="date" />
|
|
20
|
+
</IndicatorItem>
|
|
21
|
+
<IndicatorItem id="22613831-5260-4e5d-96c6-168e416b5e64" condition="contains">
|
|
22
|
+
<Context document="VolumeItem" search="VolumeItem/DevicePath" type="mir" />
|
|
23
|
+
<Content type="string" />
|
|
24
|
+
</IndicatorItem>
|
|
25
|
+
<IndicatorItem id="5218a43b-99ac-476d-9207-612ee7afa179" condition="is">
|
|
26
|
+
<Context document="VolumeItem" search="VolumeItem/DriveLetter" type="mir" />
|
|
27
|
+
<Content type="string">E:</Content>
|
|
28
|
+
</IndicatorItem>
|
|
29
|
+
<IndicatorItem id="2b182820-076d-48a9-85be-0aaec9c42362" condition="contains">
|
|
30
|
+
<Context document="VolumeItem" search="VolumeItem/FileSystemFlags" type="mir" />
|
|
31
|
+
<Content type="string" />
|
|
32
|
+
</IndicatorItem>
|
|
33
|
+
<IndicatorItem id="f27c2ba3-5b79-4ce6-b48c-655b89ea2f17" condition="is">
|
|
34
|
+
<Context document="VolumeItem" search="VolumeItem/FileSystemName" type="mir" />
|
|
35
|
+
<Content type="string">NTFS</Content>
|
|
36
|
+
</IndicatorItem>
|
|
37
|
+
<IndicatorItem id="eb3c817c-9374-4e85-a911-001257f29f00" condition="is">
|
|
38
|
+
<Context document="VolumeItem" search="VolumeItem/IsMounted" type="mir" />
|
|
39
|
+
<Content type="string">true</Content>
|
|
40
|
+
</IndicatorItem>
|
|
41
|
+
<IndicatorItem id="b9b7606e-9c9b-49ba-8105-6f2e1748e4d6" condition="contains">
|
|
42
|
+
<Context document="VolumeItem" search="VolumeItem/Name" type="mir" />
|
|
43
|
+
<Content type="string">Installs</Content>
|
|
44
|
+
</IndicatorItem>
|
|
45
|
+
<IndicatorItem id="635cf2ce-bf20-4198-9007-da73bd899b75" condition="contains">
|
|
46
|
+
<Context document="VolumeItem" search="VolumeItem/SectorsPerAllocationUnit" type="mir" />
|
|
47
|
+
<Content type="string" />
|
|
48
|
+
</IndicatorItem>
|
|
49
|
+
<IndicatorItem id="a7617aee-9e7a-4755-bdc2-05ba4202d6fd" condition="is">
|
|
50
|
+
<Context document="VolumeItem" search="VolumeItem/SerialNumber" type="mir" />
|
|
51
|
+
<Content type="string">2119600036</Content>
|
|
52
|
+
</IndicatorItem>
|
|
53
|
+
<IndicatorItem id="c48ffe07-4570-4899-aa62-e7097256209d" condition="is">
|
|
54
|
+
<Context document="VolumeItem" search="VolumeItem/TotalAllocationUnits" type="mir" />
|
|
55
|
+
<Content type="string">212696297472</Content>
|
|
56
|
+
</IndicatorItem>
|
|
57
|
+
<IndicatorItem id="e58e0fa5-943e-4f28-a22e-20f2c23e2ed4" condition="contains">
|
|
58
|
+
<Context document="VolumeItem" search="VolumeItem/Type" type="mir" />
|
|
59
|
+
<Content type="string">DRIVE_FIXED</Content>
|
|
60
|
+
</IndicatorItem>
|
|
61
|
+
</Indicator>
|
|
62
|
+
</definition>
|
|
63
|
+
</ioc>
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: RubyIOC
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-
|
|
12
|
+
date: 2013-09-15 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: roxml
|
|
16
|
-
requirement:
|
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,7 +21,12 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements:
|
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
+
none: false
|
|
26
|
+
requirements:
|
|
27
|
+
- - ! '>='
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: '0'
|
|
25
30
|
description: RubyIOC is a ruby library used for indicators of compromise
|
|
26
31
|
email:
|
|
27
32
|
- mjezorek@gmail.com
|
|
@@ -35,6 +40,7 @@ files:
|
|
|
35
40
|
- README.md
|
|
36
41
|
- Rakefile
|
|
37
42
|
- RubyIOC.gemspec
|
|
43
|
+
- iocaware.iocterms
|
|
38
44
|
- lib/RubyIOC.rb
|
|
39
45
|
- lib/RubyIOC/ioc.rb
|
|
40
46
|
- lib/RubyIOC/iocitem.rb
|
|
@@ -71,10 +77,15 @@ files:
|
|
|
71
77
|
- lib/RubyIOC/scanner.rb
|
|
72
78
|
- lib/RubyIOC/version.rb
|
|
73
79
|
- test/find_windows.ioc
|
|
80
|
+
- test/test_arp_entry_item.ioc
|
|
74
81
|
- test/test_dns_entry_item.ioc
|
|
82
|
+
- test/test_event_log_item.ioc
|
|
75
83
|
- test/test_iocitem_factory.rb
|
|
84
|
+
- test/test_port_item.ioc
|
|
76
85
|
- test/test_scan.rb
|
|
86
|
+
- test/test_service_item.ioc
|
|
77
87
|
- test/test_user_item.ioc
|
|
88
|
+
- test/test_volume_item.ioc
|
|
78
89
|
- test/zeus.ioc
|
|
79
90
|
homepage: ''
|
|
80
91
|
licenses: []
|
|
@@ -96,7 +107,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
96
107
|
version: '0'
|
|
97
108
|
requirements: []
|
|
98
109
|
rubyforge_project: RubyIOC
|
|
99
|
-
rubygems_version: 1.8.
|
|
110
|
+
rubygems_version: 1.8.24
|
|
100
111
|
signing_key:
|
|
101
112
|
specification_version: 3
|
|
102
113
|
summary: RubyIOC is a ruby library used for indicators of compromise
|