Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA

Last night’s post on using domain and md5 lists from Mandiant’s Intel Report APT1: Exposing One of China’s Cyber Espionage Units focused on Security Onion for Splunk. If you’re using ELSA with your Security Onion deployment you can use the bulk_query.pl tool to run ELSA queries against a text file.

Download the Digital Appendix and Indicators zip file (md5 hashes are provided by Mandiant) and extract the files. Copy “Appendix D (Digital) – FQDNs.txt” and “Appendix E (Digital) – MD5s.txt” to your Security Onion Server (ELSA web node) and rename them to apt1_fqdn.txt and apt1_md5.txt.

sudo perl /opt/elsa/contrib/bulk_query.pl -f /path/to/apt1_fqdn.txt -t > fqdn_hits.log

sudo perl /opt/elsa/contrib/bulk_query.pl -f /path/to/apt1_md5.txt -t > md5_hits.log

The commands above will generate a log file containing each query term searched and any matching results that were returned.

2 thoughts on “Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA

  1. I am a novice at ELSA. After I downloaded the two files, how do exactly use tjhem to query ELSA?

    Kind regards,

    Del

  2. If you copy the apt1_fqdn.txt and apt1_md5.txt files to an ELSA log node, for example to your home directory, you would run the following from your home directory:

    sudo perl /opt/elsa/contrib/bulk_query.pl -f apt1_fqdn.txt -t > fqdn_hits.log

    That should produce a file called fqdn_hits.log which will show you any event results that were a match and you can start digging further from there.

Leave a Reply