IOC Samples for System Process IOCs

The following IOC sample searches for a qtshark.exe running process using the file path C:\program files\wireshark\qtshark.exe.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="88e454e9-f94d-4771-baf8-14fc625ea4e4"
last-modified="2014-08-06T06:52:49"
xmlns="http://schemas.mandiant.com/2010/ioc">
    <short_description>*New Unsaved Indicator*
    </short_description>
    <authored_date>2014-08-05T06:35:39</authored_date>
    <links />
    <definition>
    <Indicator operator="AND"
    id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
        <IndicatorItem
        id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513"
        condition="is">
            <Context document="ProcessItem"
            search="ProcessItem/path" type="mir" />
            <Content type="string">
            C:\program files\wireshark\qtshark.exe</Content>
        </IndicatorItem>
    </Indicator>
    </definition>
</ioc>

The following IOC file sample searches for a Windows service including the string "support for synchronizing objects" in the description.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="88e454e9-f94d-4771-baf8-14fc625ea4e4"
last-modified="2014-08-06T06:52:49"
xmlns="http://schemas.mandiant.com/2010/ioc">
    <short_description>*New Unsaved Indicator*
    </short_description>
    <authored_date>2014-08-05T06:35:39</authored_date>
    <links />
    <definition>
    <Indicator operator="AND"
    id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
        <IndicatorItem
        id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513"
        condition="contains">
            <Context document="ServiceItem"
            search="ServiceItem/description" type="mir" />
            <Content type="string">
            support for synchronizing objects
            </Content>
        </IndicatorItem>
    </Indicator>
    </definition>
</ioc>

The following IOC file sample searches for a loaded module that contains \program files\wireshark\ in the file path.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="88e454e9-f94d-4771-baf8-14fc625ea4e4"
last-modified="2014-08-06T06:52:49"
xmlns="http://schemas.mandiant.com/2010/ioc">
    <short_description>*New Unsaved Indicator*
    </short_description>
    <authored_date>2014-08-05T06:35:39</authored_date>
    <links />
    <definition>
    <Indicator operator="AND"
    id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
        <IndicatorItem
        id="da7e0a00-d6b1-4139-b71f-e4d3e8e47513"
        condition="contains">
            <Context document="FileItem"
            search="FileItem/FullPath" type="mir" />
            <Content type="string">
            \program files\wireshark\
            </Content>
        </IndicatorItem>
    </Indicator>
    </definition>
</ioc>