Supported IOC Indicator Terms

IOC files consist of one or more indicator terms. These indicator terms specify the variables to use in the investigation. Endpoint Sensor performs the following steps to parse uploaded IOC files:

  • Extracts all indicator terms from IOC files

  • Converts the supported indicator terms into SQL commands

  • Applies these SQL commands as investigation parameters

  • Skips all unsupported indicator terms in the IOC file

Endpoint Sensor classifies IOC files as follows:

  • Historical records IOCs

    IOC files used for investigating historical events. These IOC files are uploaded in Historical search > IOC files.

    For details, see IOC Samples for Historical Records IOCs.

  • System process IOCs

    IOC files used for investigating running system processes based on the current system state. These IOC files are uploaded in System snapshot > IOC files.

    For details, see IOC Samples for System Process IOCs.

  • Disk scanning IOCs

    IOC files used for investigating specific files on the system. The uploaded disk IOC file has to include at least one fileitem/filepath or fileitem/fullpath indicator. These IOC files are uploaded in System snapshot > Disk IOC files.

    For details, see IOC Sample for Disk Scanning IOCs.

  • Monitoring IOCs

    IOC files used for monitoring specific files on the system. These IOC files are uploaded in Monitoring Setting > User defined.

    For details, see Monitoring Rules.

Each classification supports a specific set of indicator terms. Use the table below to determine which indicator term to use.

Table 1. Supported IOC Indicator Items in Endpoint Sensor 1.6 Update 4

Indicator

Historical Records

System Process

Disk Scanning

Monitoring
  • DnsEntryItem

    Use DnsEntryItem indicators in Historical Records IOCs to search for network-related queries in database logs.

    Use DnsEntryItem indicators in Monitoring IOCs to to monitor network-related behavior on the system.

dnsentryitem/host

DNS host

dnsentryitem/recorddata/host

Host name

dnsentryitem/recorddata/ipv4address

IPv4 address of the DNS host

  • FileItem

    Use FileItem indicators in Historical Records IOCs to search for loaded modules in database logs.

    Use FileItem indicators in System Process IOCs to search for loaded modules in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

    Use FileItem indicators in Disk Scanning IOCs to search for loaded modules in a system snapshot. Endpoint Sensor requires at least one fileitem/filepath or fileitem/fullpath indicator for Disk Scanning IOCs.

    Use FileItem indicators in Monitoring IOCs to monitor file access (drop/open) behavior on the system.

fileitem/accessed

Timestamp when a file was last accessed

Example: 2000-04-12T09:14:38Z

fileitem/created

Timestamp when a file was created

Example: 2000-04-12T09:14:38Z

fileitem/fileextension

File extension name

Example: exe

fileitem/filename

Suspicious file name

fileitem/filepath

Target landing folder without a file name

For Disk Scanning IOCs, add an asterisk (*) after the path to recursively search subfolders.

Example: C:\Windows\System32\*

Disk Scanning IOCs require at least one filepath or fullpath indicator.

fileitem/fullpath

Full target landing folder including the file name

Example: C:\Windows\System32\WinSync.dll

Disk Scanning IOCs require at least one filepath or fullpath indicator.

fileitem/md5sum

Suspicious file MD5 hash value, in hexadecimal format

fileitem/modified

Timestamp when a file was last modified

Example: 2000-04-12T09:14:38Z

fileitem/peinfo/digitalsignature/certificateissuer

Keywords in the file digital certificate issuer section

fileitem/peinfo/digitalsignature/certificatesubject

Keywords in the file digital certificate subject section

fileitem/sha1sum

Suspicious file SHA-1 hash value, in hexadecimal format

fileitem/sizeInbytes

Size of file or range of file sizes in bytes

Example: 101000 TO 120000

fileitem/username

Name of the account that created the file

fileitem/devicepath

Device path of the file

fileitem/drive

Drive of the file

  • PortItem

    Use PortItem indicators in Historical Records IOCs for network-related queries and to search for running processes in database logs.

    Use PortItem indicators in Monitoring IOCs to to monitor network-related behavior on the system.

portitem/creationtime

Timestamp when the connection was established

Example: 2000-04-12T09:14:38Z

portitem/localip

Binding local IP address

 

portitem/localport

Binding local port

portitem/process

Process name binding on a specific port

portitem/remoteip

Connected remote IP address

portitem/remoteport

Connected remote port

  • ProcessItem

    Use ProcessItem indicators in Historical Records IOCs for network-related queries in database logs.

    Use ProcessItem indicators in System Process IOCs to search for running processes in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

    Use ProcessItem indicators in Monitoring IOCs to to monitor the process activity on the system.

processitem/handlelist/handle/name

Handle name or path to handle

processitem/handlelist/handle/type

Windows handle type

processitem/name

Connection created by a specific process name

processitem/path

File path to the executable file of the process

processitem/pid

Windows process ID number

processitem/portlist/portitem/creationtime

Timestamp when a process was created

Example: 2000-04-12T09:14:38Z

processitem/portlist/portitem/localip

Connected local IP address

 

processitem/portlist/portitem/remoteip

Connected remote IP address

processitem/sectionlist/memorysection/digitalsignature/certificateissuer

Keywords in the process certificate issuer section

processitem/sectionlist/memorysection/digitalsignature/certificatesubject

Keywords in the process certificate subject section

processitem/sectionlist/memorysection/sha1sum

SHA-1 hash value associated with the process or file, in hexadecimal format

processitem/sectionlist/memorysection/md5sum

Suspicious process MD5 hash value, in hexadecimal format

processitem/username

Account of the process owner

  • RegistryItem

    Use RegistryItem indicators in Historical Records and System Process IOCs for Windows registry-related queries in a system snapshot.

    Use RegistryItem indicators in Monitoring IOCs to monitor registry changes related to autorun processes on the system.

registryitem/keypath

Full registry path

Example:

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Notepad\DefaultFonts

registryitem/path

Keywords within the registry path

registryitem/value

Keywords within the registry data

registryitem/valuename

Name of the registry entry

  • ServiceItem

    Use ServiceItem indicators in System Process IOCs to search for active Windows services in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

serviceitem/description

Keywords within the service description

serviceitem/descriptivename

Full descriptive Windows service name

serviceitem/name

Short name of the Windows service as stored in the registry

serviceitem/servicedllcertificateissuer

Keywords in the service DLL certificate issuer section

serviceitem/servicedllcertificatesubject

Keywords in the service DLL certificate subject section

serviceitem/servicedllmd5sum

Suspicious service MD5 hash value, in hexadecimal format

serviceitem/startedas

User account that started the service

serviceitem/status

Service status:

  • active

  • inactive

serviceitem/type

Windows service type

  • UserItem

    Use UserItem indicators in Historical Records IOCs to search for user accounts in database logs.

useritem/fullname

Domain and user account name

Example: user@domain.com

useritem/grouplist/groupname

Group name

useritem/lastlogin

Most recent/last known access

Example: 2000-04-12T09:14:38Z

useritem/username

User account name

Note:
  • Ensure that IOC files follow the correct syntax. Follow the IOC schemas and related instructions available in http://OpenIOC.org/.

  • Use the IOCTool available in the <Trend Micro Endpoint Sensor installation path>\CmdTool\IOCTool\ folder to troubleshoot invalid IOC files.

    For details, see Troubleshooting Invalid IOC Files.