IOC Samples for Historical Records IOCs

The following IOC sample searches for EXE, DLL, or RAR files in the Recycle Bin.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="88e454e9-f94d-4771-baf8-14fc625ea4e4"
last-modified="2014-08-06T06:52:49"
xmlns="http://schemas.mandiant.com/2010/ioc">
    <short_description>*New Unsaved Indicator*
    </short_description>
    <authored_date>2014-08-05T06:35:39</authored_date>
    <links /><ioc>
  <definition>
    <Indicator operator="AND">
      <Indicator operator="OR">
        <IndicatorItem condition="contains">
          <Context document="FileItem" 
                   search="FileItem/FileExtension"/>
          <Content type="string">.exe</Content>
        </IndicatorItem>
        <IndicatorItem condition="contains">
          <Context document="FileItem" 
                   search="FileItem/FileExtension"/>
          <Content type="string">.dll</Content>
        </IndicatorItem>
        <IndicatorItem condition="contains">
          <Context document="FileItem" 
                   search="FileItem/FileExtension"/>
          <Content type="string">.rar</Content>
        </IndicatorItem>
        <Indicator operator="OR">
          <IndicatorItem condition="contains">
            <Context document="FileItem" 
                     search="FileItem/FullPath"/>
            <Content type="string">Recycler</Content>
          </IndicatorItem>
          <IndicatorItem condition="contains">
            <Context document="FileItem" 
                     search="FileItem/FullPath"/>
            <Content type="string">Recycle.bin</Content>
          </IndicatorItem>
        </Indicator>
      </Indicator>
    </Indicator>
  </definition>
</ioc>

The following IOC sample searches for registry entries using the full registry key path Software/Microsoft/Windows/CurrentVersion/run.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
     id="1ec0039d-b114-40e3-a227-7d936cb07c13"
     last-modified="2015-10-27T10:29:56" 
     xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>
  *New Unsaved Indicator*
  </short_description>
  <authored_date>2015-10-27T10:29:03</authored_date>
  <links />
  <definition>
    <Indicator operator="OR"
               id="c3962aa6-00e1-494a-b448-1b57f60114af">
      <IndicatorItem id="86a9ff7f-1876-4def-a2f6-05d546cfa7d7" 
                     condition="is">
        <Context document="RegistryItem"
                search="RegistryItem/KeyPath" type="mir" />
        <Content type="string">
        Software/Microsoft/Windows/CurrentVersion/run
        </Content>
      </IndicatorItem>
    </Indicator>
  </definition>
</ioc>