By Ryan Kovar April 09, 2020
This blog post is part twenty-four of the "Hunting with Splunk: The Basics" series. I've been dealing with viruses for years, but this is the first time I've written a blog post where we are dealing with actual viruses. Ever since the 2004 tsunami, I have witnessed cyber-baddies using current events to trick users into opening documents or clicking on links. The COVID-19 breakout is no different. In this blog, I show how you can take the crowdsourced IOCs collected by good folks and implement them into Splunk – Ryan Kovar
Many years ago, in the very first post of the "Hunting with Splunk: The Basics" blog series, I taught you how to create lookup tables and then perform actions on them. In this blog, I am going to walk you through how I quickly created a technology add-on (TA-covidIOCs) to download data from a source of COVID IOCs on GitHub, formats them in a lookup table (harkening back to my Lookup Before You Go-Go...Hunting blog post), and finally gives you some example searches to use that lookup table to hunt in your data.
Source of IOCs
Recently my best friend (hi Marcus!) told me about a GitHub repo that was collecting and collating COVID-19 indicators of compromise (IOC). It is a well-established fact that adversaries use tragic events to trick victims into clicking on links or downloading files, and this recent crisis is no different. This GitHub repo was created by Parth D. Maniar and is full of IOCS (files hashes, IP addresses, domains, and URLs) that the author has been able to collect. Some appear to be sourced by the author; others are drawn from vendors like VirusTotal, DomainTools, and Anomali. The IOCs are currently updated frequently, although I assume this will eventually (and hopefully) reduce in regularity. This is a great time to point out that this list of IOCs has NOTHING to do with Splunk. It's just the best collection of COVID IOCs that I have found for free on the internet. Use at your own risk of false positives. As Roman cybersecurity professionals once scribed on their stone cubicle walls: “absent est falsum positivarum."
TA-ing the IOCs
TL;DR Here is the TA-covidIOCs. Download it on a dev box and check out how it works and brings in IOCs to use in lookups. The lookups are COVIDips, COVIDurls, COVIDnewdomains, and COVIDhashes. *nix only. Reminder, not our IOCs don't use without vetting.
Reviewing previous methods of dealing with GitHub, I considered using a <CODE>git clone to bring down the repo and then sort it out locally. However, to make this as low effort as possible, I'm gonna be lazy ☺. Mr. Maniar was kind enough to break his IOCs out into different directories in his Github repo. Four directories for four separate types of IOCs.
A quick review shows that these IOCs are in ASCII form and separated by a carriage return.
This is perfect. The TA uses the following command to pull the “raw” files into my system using WGET, whack an appropriate header on the file like “IP,isBad” and then add a “,TRUE” on each line. Then I’ll move each file to the ../lookups directory and run the script every hour via scripted input. Just so YOU know, it comes with IOCs out of the box from the last time I ran the command so you should have something to work on from installation!)
wget --no-check-certificate https://raw.githubusercontent.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/master/IPs && sed 's/$/,TRUE/' IPs > COVIDips.csv && echo 'ip,isBad' | cat - COVIDips.csv > temp && mv -f temp COVIDips.csv && rm -f IPs* && mv -f COVIDips.csv $SPLUNK_HOME/etc/apps/TA-covidIOCs/lookups/
And as you can see, that's precisely what I will do. Now some of my fellow neckbeards in the audience will decry my use of "echo" over "sed -i" for inserting a header for my CSV. The reason is that “sed -i" doesn't work great on MAC OSX, and I know many of you are going to use this locally and not deploy it. So there.
Once this was done, I finished off my TA-covidIOCs and sent it to my good friend Lily Lee, who helped me out by cleaning it up. She promised me she stopped laughing at my code after a mere 30 minutes. Two hours later she finished and sent me over my mistakes. Good news is, the TA now works and will start downloading the IOCs in 60 minutes. To make it work out of the box we kept some IOCs in there to get you hunting! If you are impatient and want the newest IOCs right NOW go ahead restart Splunk. Please don't send angry users my way though....
Hunting with the IOCS
Now, this part is basically just regurgitating my work from several years ago. This is great, as everyone knows I'm pretty lazy, so this is the easy part of my day. First I just want to verify that I have IOCS to play with so I do a quick
|inputlookup covidips
Success! Now let's see if we have any hosts talking to bad COVID threat-related IP addresses. Notice I am using this with Stream data, but you could use anything that is a relevent field (src_ip, dest_ip, file_hash, or whatever)
index=main sourcetype=stream:* | lookup covidips ip AS dest_ip | search isBad=TRUE | stats VALUES(dest_ip) AS "COVID related IP address from covidips lookup table" by src_ip
There we go! You’ve hunted down some baddies and are ready to go immunize those workstations. I’ve only shown the “covidips" as an option, but you could use any of the lookup tables to correlate off of your data. Hopefully, this helps you out. Remember, be safe and Healthy Hunting*!
Special thanks to Lily Lee for helping me with TA plumbing and Parth D. Maniar for creating such an excellent repository of threat intelligence!
* For my fellow pedantic neckbeards who are still reading, is this "hunting" no... not really, but feel free to pivot off those IOCs and rip up some tasty infrastructure!