In this article, you will find out how to exploit the IOCs available in Yuno newsletters.
SUMMARY
Definition ⬇︎
What is an IOC?An Indicator of Compromisse is a technical marker (IP, domain name, hash) defining an intrusion set, a malware, or an attack campaign. Within Yuno, these elements are collected from various qualified sources, and are processed by our analysts.
Yuno INFO bulletins include a field named “Indicator of Compromise”, which serves several purposes:
- To precisely characterize the threat, by providing a technical context that can be exploited automatically (via the API, for instance) or manually by our customers' tools or analysts.
- Ease the detection or blocking of these threats within your information system.
IOCs format
In order to normalize the content of this field, the syntax used corresponds to that used within MISP (DataModels standard).
In a nutshell, this text field contains 1 entry per line, in the following format:
<prefix>:<value>
IOCs available in a Yuno bulletin are “defanged” by XMCO analysts to avoid any unfortunate clicks on IOCs (domain names, URLs, etc.).
IOCs contextualization
In order to provide more information on IoCs, Yuno analysts can add comment lines to link them to the name of a threat (intrusion set or malware, for instance). Ta achieve this goal, the comment must be related to one of the tags associated with the Yuno bulletin. This label must be orthographically identical to the tag.
In this case, the field will have a format such as :
# threat-related-tag <prefix>:<value>
A few points to consider:
- If the label on the first line of the IOC field is not a threat tag/name, the following IOCs are considered generically related to the bulletin.
- It is possible to add several comment lines within the IOC field to characterize the IOCs correctly.
- Anything below a threat tag/name is directly related to that threat.
IoC field | Notes |
---|---|
md5:XXXXXXXX | Non-threat-related IoCs |
... | |
# Threat 1 | |
md5:XXXXXXXX | IoCs related to threat 1 |
... | |
# Threat n | |
md5:XXXXXXXX | IoCs related to threat N |
... |
Warning: Although Yuno provides IOCs with the INFO bulletins, and this data can be processed automatically via the Portal API, Yuno does not offer IOC feeds as such. An IOC feed responds to particular needs, and has specific technical and functional characteristics (structure, exchange format, update frequency, contextual data available, etc.) which Yuno does not meet.
IOCs types
In the process of integrating the available IOCs into your TIP (Threat Intel Platform), a correlation can be made between the MISP types from the DataModels, and the Observable objects from the STIX 2.1 standard.
YUNO IoC data-types | STIX2.1 Observable object |
md5 sha1 sha256 sha512 filename|md5 filename|sha1 filename|sha256 filename|sha512 | File |
as | AutonomousSystem |
hostname | Hostname (Custom) |
domain | DomainName |
email-src | EmailAddress |
email-body | EmailMessage |
ip-src | IPv4Address, IPv6Address |
ip-dst | IPv4Address, IPv6Address |
mac-address | MACAddress |
mutex | Mutex |
text | Text (Custom) |
url | URL |
process | Process |
software | Software |
user-agent | UserAgent (Custom) |
regkey|value regkey | WindowsRegistryKey |
account | UserAccount |
dir | Directory |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article