Importing dodgy MD5 hashes into Spectrum

Document created by RSA Admin Employee on Mar 20, 2013Last modified by RSA Admin Employee on Mar 20, 2013
Version 3Show Document
  • View in full screen mode

There has been a lot of noise lately about the Mandiant APT1 report which included a large number of indicators that can be detected using NetWitness.  These include domains, IP addresses as well as 3008 MD5 hashes from files found in Mandiant investigations.  These MD5s can be imported into Spectrum to elevate the badness score; ideally warning you that something needs attention.  The process is very simple but is often forgotten about.

 

This process can be repeated anytime an AV vendor or security firm release a list of hashes to the broader community.  The APT1 malware is now largely identified by antivirus (e.g. VirusTotal in Spectrum) but this same technique can be used for lesser known hash sets.

 

For example, Symantec released a report today at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromi…

 

The Symantec report includes a list of several hundred MD5 hashes that you can format into a CSV file prior to importing into Spectrum.  I've attached both the Mandiant APT1 and Symantec CSV files to this post already correctly formatted.  For reference, the file needs to be a Comma Separated Value (CSV) format with a header row.  Details on page 79 of the Spectrum manual.  Personally, I use Excel to create these CSV files because it is so easy.

 

56390

The columns are pretty self explanatory.  Chances are you won't have the original file name so you can leave this blank.  The source column can be a reference so you know which report listed the hash.

56388

Once imported you will see the hash values (possibly thousands of them) listed in the System | Hash page.  These will be processed against any file that Spectrum looks at.

56389

If your Spectrum box ever spots a file that matches your bad hash set it will show up as an icon on the File or Event page.  Notice in the screen shot below that both my chosen antivirus engines and the bad hash value were triggered.  The static, community and sandbox analysis scores were all high too.   These files are probably not friendly.

 

56391

Hovering over the hash icon on the Event screen shows the following information:

 

56392

That is all there is to it.  The inclusion of known bad hashes can be a useful trick to help improve the scores out of Spectrum and prioritize the things you may like to investigate first.

 

Attached is a ZIP file that needs to be extracted before the two files can be imported into Spectrum.  A video of the whole process is also attached.

Outcomes