Contents

Method

CheckSimpleIoc

ModuleSecurity
LibrarySecurity
Action

Evaluates an IOC (indicator of compromise) definition on a device.

Parameters

IpRange (string; optional): One or more IP ranges, comma delimited without spaces. IPv6 ranges are not currently supported. For example: "5.5.6.7-5.5.7.2,70.50.72.224-70.50.72.226"

IpAddress (string; optional): One or more IP addresses, comma delimited without spaces. IPv6 addresses are not currently supported, but a match will be attempted. For example: "5.5.6.7,5.5.7.2,70.50.72.224,70.50.72.226"

Ports (string; optional): One or more ports, comma delimited without spaces. All ports supplied apply to all IpRanges and IpAddresses supplied. For example: "5556,5557,5558,7229,27015"

Domain (string; optional): One or more domains, comma delimited without spaces. We don't currently have port information tied to domain lookups. As such, if a device has attempted to resolve a domain in this list, it will be returned as a match. For example: "domain.com,contoso.malwareland.com,lync.company.discover.com". All domains supplied must be lower case.

FileSpec (string; optional): One or more FileSpec strings, comma delimited without spaces. Such a definition is a filename with extension, followed by a colon and then the file's MD5 hash. For example: "malerware.exe:5a766a45158c640023d221005082cbb8,actual.txt:5a766a45158c640023d221005082cbb7". FileSpec matches are done live, and do not use the agent historical data. As such, for this IOC definition, the DaysAgo parameter is ignored. All md5 hashes supplied must be lower case.

Url (string; optional): This parameter is unsupported and will be ignored.

DaysAgo (integer; optional, default 7): An integer between 1 and 30 which governs how far back in the agent historical data to look for IOC matches. If a FileSpec IOC definition is supplied along with others, this parameter will be ignored only for the FileSpec resolution as the FileSpec resolution is always done live.

Return valuesFoundIoc (string): Whether or not the device is considered vulnerable given the definition supplied. Possible values are: "true", "false"
Example
Security.CheckSimpleIoc(IpAddress: "5.5.5.10,127.0.0.1,10.10.0.254", 
Ports: "4000,35525,443", 
FileSpec: "malerware.exe:5a766a45158c640023d221005082cbb8,actual.txt:5a766a45158c640023d221005082cbb7,", 
Domain: "notadomain.com,hackerland.cn,google.co.in,lyncdiscoverinternal.1e.com", 
IpRange: "225.225.226.222-225.225.229.228,127.0.0.0-127.0.0.6");
Platforms
  • Windows
Notes

If multiple parameters are supplied, the definitions are considered "OR"-ed together. If any definition is matched, true will be returned.