Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

NotPetya

 

Information about the NotPetya content pack and using real-time feeds.

JSA NotPetya Content Extension V1.2.2

Changed descriptions of custom flow properties to follow a more consistent naming format.

(Back to top)Information about the NotPetya content pack and using real-time feeds.

JSA NotPetya Content Extension V1.2.1

The following table shows the custom properties in the NotPetya Content Extension V1.2.1.

Table 1: Custom Properties in NotPetya Content Extension V1.2.1

Name

Optimized

Capture Group

Regex

Destination Host Name

Yes

1

dstHostName=([^\t]+)[\t]*

File Hash

Yes

1

fileHash=([^\t]+)[\t]*

File_Hash

Yes

1

JSA\(HTTP_FILES_CKSUM\)=0x([^;]+);

File_Name

Yes

1

JSA\(CONTENT_FILE_NAME\)=([^;]+);

Filename

Yes

1

fileName=([^\t]+)[\t]*

HTTP Host

Yes

1

JSA\(HTTP_HOST\)=([^;]+);

Source Host Name

Yes

1

srcHostName=([^\t]+)[\t]*

(Back to top)Information about the NotPetya content pack and using real-time feeds.

JSA NotPetya Content Extension Older Releases

The NotPetya content pack contains the following features:

  • Prepopulated IOCs (indicators of compromise) in four reference sets, which can be populated in real time from X-Force NotPetya collections. The content pack includes the following reference sets:

    • Petya_FileName

    • Petya_FileHash

    • Petya_IP

    Note

    The reference sets in app v1.2.0 were last updated on May 17, 2017. Administrators are encouraged to configure a NotPetya collection feed from the App Exchange to get the most recent data.

    YouTube: Ransomware Outbreak Detection: QRadar and X-Force Threat Intelligence Feeds.

  • NotPetya building blocks are included, and a custom rule is added, which triggers when any of the IOCs are detected. The following table lists the building blocks that are added when you install the content pack:

    Building Block

    Description

    Petya Event File Hash

    References file hashes

    Petya Event File Name

    References file names

    Petya Event Host Name

    References host names

    Petya Flow Payload

    References hashes in payloads

    Petya IP Found

    References IP addresses. By default, this building block is not added because it might cause false positives in multi-hosted domains. You can add this building block separately.

    Note

    The IP building block is available; however, it is not in the rule by default. This action is intentional because some organizations or administrators do not want the IP Building Block included since it can generate false positives with multi-hosted domains. The IP reference set is for customers who are not worried about these false positives and who might like to investigate communication from known IP addresses that distribute attack vectors. You can also use the saved searches that are added to check whether any of these IP addresses exist in your organization.

  • A custom rule that uses the reference sets and building blocks to detect the NotPetya malware. The building blocks and reference sets in this content pack are linked to the custom rule. The custom rule creates an offense when any file names, hashes, and signatures from X-Force Threat Intelligence feeds are detected.

    The following custom rule is added: Petya Detected In Real Time

    Apply Petya Detect on events or flows which are detected by the local system and when a flow or an event matches any of the following: Petya Event File Hash, Petya Event File Name, Petya Flow Payload, Petya QNI File Hash, Petya QNI File Name.

    If you use the QFlow feature, and the following network traffic signature is detected, your organization is alerted for possible early detection of the Petya malware.

    alert tcp any any -> any 445

    OR

    ff 53 4d 42 72 00 00 00 00 18 07 c0 46 00

    OR

    ff 53 4d 42 72 00 00 00 00 18 07 c0 52 59

    OR

    ff 53 4d 42 72 00 00 00 00 18 07 c0 8a 47

    OR

    10 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 4a 00 02 00 23 00 00 00 07 00 5c 50 49 50 45 5c 00

  • A custom function that converts a flow payload into HEX format, and a building block that has the custom signature of NotPetya.

    The following custom rule is added: Potential Ransomware, Suspicious activity / Possible Petya, NotPetya

    - Apply Potential Ransomware, Suspicious activity / Possible Petya, NotPetya on flows which are detected by the Local system and when the flow context is Local to Local and when the destination port is one of the following 445 and when the source side of the flow has payload data and when the flow matches FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%70 00 73 00 65 00 78 00 65 00 63 00 73 00 76 00 63 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%73 00 76 00 63 00 63 00 74 00 6c 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%5c 00 61 00 64 00 6d 00 69 00 6e 00 24 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0%' AQL filter query

    The following building block is added: BB: Petya in Flow Payload

    - Apply Petya in Flow Payload on flows which are detected by the local system and when the flow context is Local to Local and when the destination port is one of the following 445 - and when the source side of the flow has payload data and when the flow matches FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%00 00 00 31%' - and FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0 8a 47%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%10 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 4a 00 02 00 23 00 00 00 07 00 5c 50 49 50 45 5c 00%' AQL filter query

  • Custom flow rule (not enabled by default) Potential Ransomware, Suspicious activity / Possible Petya, NotPetya with five HEX signatures for highly suspicious activity on port 445, high possibility of Ransomware, and high possibility for Petya/NotPetya. Use the Actions menu on the Offenses tab to enable this rule.

    Apply Potential Ransomware, Suspicious activity / Possible Petya, NotPetya on flows which are detected by the Local system and when the flow context is Local to Local and when the destination port is one of the following 445 and when the source side of the flow has payload data and when the flow matches FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%70 00 73 00 65 00 78 00 65 00 63 00 73 00 76 00 63 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%73 00 76 00 63 00 63 00 74 00 6c 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%5c 00 61 00 64 00 6d 00 69 00 6e 00 24 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0%' AQL filter query

Saved Searches

The following saved searches are added:

  • Petya/NotPetya FLOWS last 24 hours in Network Activity

    Flow search for 4 hex signatures matches on Petya/NotPetya

  • Potential Ransomware (Suspicious activity, Possible Petya, NotPetya) in Network Activity

    Flow search for 5 hex signatures for highly suspicious activity on port 445, high possibility of Ransomware, high possibility of Petya/NotPetya

  • Petya/NotPetya Flows "DestinationIP" Last 24 Hours in Network Activity

  • Petya/NotPetya Flows "SourceIP" Last 24 Hours in Network Activity

  • Petya/NotPetya Event "SourceIP" Last 24 Hours in Log Activity

    Event search added for match on event source IP address.

  • Petya/NotPetya Event "DestinationIP" Last 24 Hours in Log Activity

    Event search added for match on event destination IP address.

  • Petya/NotPetya Event "File Hash" Last 24 Hours in Log Activity

    Hours Event search added for match on event file hash that matches XFE threat Intelligence file hash data

The saved searches are sharable by default in V1.2.1.

Enabling Building Blocks in JSA V7.3.0

In JSA V7.3.0, you must edit the Petya QNI Host, Petya QNI File Hash, and the QNI File_Name building blocks to enable them.

For WCry QNI Host, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the Petya QNI Host building block to open the rule.

  4. Click these flow properties and then add HTTP_Host (QNI) from the list.

  5. Click Submit.

For WCry QNI File Hash, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the Petya QNI File Hash building block to open the rule.

  4. Click these flow properties and then add File_Hash (QNI) from the list.

  5. Click Submit.

For QNI File_Name, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the QNI File_Name building block to open the rule.

  4. Click these flow properties and then add File_Name (QNI) from the list.

  5. Click Submit.

Note

When you update your content pack, you must select Overwrite when the system prompts you with the following message:

This extension is attempting to update entries. Any changes made to the original entries will be lost.

(Back to top)Information about the NotPetya content pack and using real-time feeds.

NotPetya Real-time Feeds

To receive real-time feeds from the App Exchange NotPetya collections after you install the NotPetya content pack, you must install the Threat Intelligence app from the App Exchange.

Follow the instructions for installing and configuring the Threat Intelligence app by referencing the instructions in the Installing Extensions by Using Extensions Management section.

Setting Up the Taxii Feed

Review the following list to view the required authorization to set up the Taxii feed:

Note

Before you start, administrators must enable the X-Force Threat Intelligence Feed in the JSA System Settings screen.

Enabling X-Force Threat Intelligence Feeds for JSA V2014.8 and Later

  1. Log in to JSA as an administrator.

  2. Click the Admin tab.

  3. Click the System Settings icon.

  4. From the Enable X-Force Threat Intelligence Feed drop-down menu, select Yes.

  5. Click Save.

  6. From the Admin tab, click Deploy Changes to enable the X-Force Threat Intelligence Feed for the deployment.

Note

Administrators must allow internet access from the JSA Console to the following addresses to get X-Force Threat Intelligence Feed data from JSA. The following servers are contacted for both X-Force data updates and licensing.

Server description

X-Force Threat Intelligence Feed update server for IP reputation and URL data

X-Force Threat Intelligence licensing server

Configuring a Collection Feed

To receive real-time updates from the Petya collections on X-Force Exchange, do the following steps after you install the Threat Intelligence app.

  1. On the Admin tab, click the STIX/TAXII Configuration icon.

  2. Click >Add Threat Feed > AddTaxii Feed.

  3. In the Taxii Endpoint field, paste the URL of the collection that you want to follow:

    1. Go the App Exchange at: https://exchange.xforce.ibmcloud.com/

    2. Select a collection, for example, in this case, select a Petya collection and open the page.

    3. Copy the URL for the collection page, and paste this URL into the Taxii Endpoint field in JSA.

  4. Select HTTP basic for the Authentication Method.

  5. In the Username field, enter the API key that you generated on your profile settings page of the App Exchange.

  6. In the Password field, enter the API password that you generated on your profile settings page of the App Exchange.

  7. Click Discover.

  8. The Collection field is populated.

  9. In the Observable Type field, you must select one of the observable types from the menu. The following observable types are examples of what you might see in the menu:

    • IPv4 Address

    • File Name

    • File Hash

    • URL

  10. Configure the polling parameters, or leave at the default settings, and then click Next.

  11. Select one of the new reference sets that were installed with the content pack. You match an observable type to a corresponding reference set. For example, if you selected File Hash as the observable type, then you select the Petya_File_Hash reference set. If you selected File Name as the observable type, then you select the Petya_File_Name reference set. You can also create your own custom reference set.

  12. Click Next, and then click Save.

  13. Click Poll Now to get updates. You can view the updates that were applied in the specific reference set on the JSA Admin tab.

Advanced Search Examples to Find Specific Hashes in the Payload

You can use the following AQL query examples in JSA Advanced Search to search payloads for the specified hashes, which are used for the example purposes here:

  • SELECT sourceip, FORMAT::PAYLOAD_TO_HEX(sourcepayload) from flows where destinationport = '445' and FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0 46 00%' last 30 MINUTES

  • SELECT * from flows where destinationport = '445' and FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0 46 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%10 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 4a 00 02 00 23 00 00 00 07 00 5c 50 49 50 45 5c 00%' last 30 MINUTES

Related Documentation