Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA

Last night’s post on using domain and md5 lists from Mandiant’s Intel Report APT1: Exposing One of China’s Cyber Espionage Units focused on Security Onion for Splunk. If you’re using ELSA with your Security Onion deployment you can use the tool to run ELSA queries against a text file.

Download the Digital Appendix and Indicators zip file (md5 hashes are provided by Mandiant) and extract the files. Copy “Appendix D (Digital) – FQDNs.txt” and “Appendix E (Digital) – MD5s.txt” to your Security Onion Server (ELSA web node) and rename them to apt1_fqdn.txt and apt1_md5.txt.

sudo perl /opt/elsa/contrib/ -f /path/to/apt1_fqdn.txt -t > fqdn_hits.log

sudo perl /opt/elsa/contrib/ -f /path/to/apt1_md5.txt -t > md5_hits.log

The commands above will generate a log file containing each query term searched and any matching results that were returned.

2 thoughts on “Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA

  1. I am a novice at ELSA. After I downloaded the two files, how do exactly use tjhem to query ELSA?

    Kind regards,


  2. If you copy the apt1_fqdn.txt and apt1_md5.txt files to an ELSA log node, for example to your home directory, you would run the following from your home directory:

    sudo perl /opt/elsa/contrib/ -f apt1_fqdn.txt -t > fqdn_hits.log

    That should produce a file called fqdn_hits.log which will show you any event results that were a match and you can start digging further from there.

Leave a Reply