Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

WannaCry

 

Information about the WannaCry content pack and using real-time feeds.

WCry Content Extension V1.1.2

Updated several property descriptions.

(Back to top)Information about the WannaCry content pack and using real-time feeds. ePub Document

WCry Content Extension V1.1.1

The following table shows the custom properties that were updated for the WCry Content Extension V1.1.1.

Table 1: Updated Custom Properties for WCry Content Extension V1.1.1

Name

Optimized

Capture Group

Regex

Destination Host Name

Yes

1

dstHostName=([^\t]+)[\t]*

File Hash

Yes

1

fileHash=([^\t]+)[\t]*

File_Hash

Yes

1

IBM\(HTTP_FILES_CKSUM\)=0x([^;]+);

File_Name

Yes

1

IBM\(CONTENT_FILE_NAME\)=([^;]+);

Filename

Yes

1

fileName=([^\t]+)[\t]*

HTTP Host

Yes

1

IBM\(HTTP_HOST\)=([^;]+);

Source Host Name

Yes

1

srcHostName=([^\t]+)[\t]*

The following table shows the rules that were updated for the WCry Content Extension V1.1.1.

Table 2: Updated Rules in WCry Content Extension V1.1.1

Name

Description

Wcry Detect

Rule updated with reference set WCry_IP. The element type of the reference set was changed to IP.

The following table shows the saved searches that were updated for the WCry Content Extension V1.1.1. The searches were made shareable by setting the shared value to TRUE.

Table 3: Updated Saved Searches in WCry Content Extension V1.1.1

Name

WannaCry Events "Destination Host Name" Last 24 Hours

WannaCry Events "DestinationIP" Last 24 Hours

WannaCry Events "File Hash" Last 24 Hours

WannaCry Events "Hostname" Last 24 Hours

WannaCry Events "Source Host Name" Last 24 Hours

WannaCry Events "SourceIP" Last 24 Hours

WannaCry Events "URL" Last 24 Hours

WannaCry Flows Last 24 Hours

(Back to top)Information about the WannaCry content pack and using real-time feeds. ePub Document

WCry Content Extension V1.0.0

The WCry content pack contains the following features:

  • Prepopulated IOCs (indicators of compromise) in four reference sets, which can be populated in real time from X-Force WCry collections. The content pack includes the following reference sets:

    • WCry_FileName

    • WCry_FileHash

    • WCry_HostName

    • WCry_IP

    The reference sets were last updated on 18 May 2017. Configure a WannaCry collection feed from the App Exchange to get the most recent data.

  • WCry related building blocks are included, and a custom rule that triggers when any of the IOCs are detected. The following table lists the building blocks that are added when you install the content pack:

    Building Block

    Description

    BB:WCry Event File Hash

    References file hashes

    BB:WCry Event File Name

    References file names

    BB:WCry Event Host Name

    References host names

    BB:WCry Flow Payload

    References hashes in payloads

    BB:WCry IP Found

    References IP addresses

    Note

    The IP, URL, and host name Building Blocks are available; however, they are not in the rules by default. This action is intentional because some organizations or administrators do not want these Building Blocks to be included as they might generate false positives with multi-hosted domains. The IP address and host name reference sets are for customers who are not worried about these false positives. These customers might also like to investigate communication from known IP addresses that distribute attack vectors. You can also use the saved searches that are added to check whether any of these IP addresses, host names, or URLs exist in your organization.

  • Custom Rule that uses the reference sets and building blocks to detect the WannaCry malware. The building blocks and reference sets in this content pack are linked to the custom rule. This rule creates an offense when any file names, hashes, and signatures from X-Force Threat Intelligence feeds are detected. The following custom rule is added:

    Apply WCry Detect on events or flows which are detected by the local system and when a flow or an event matches any of the following: WCry Event File Hash, WCry Event File Name, WCry Flow Payload, WCry QNI File Hash, WCry QNI File Name

  • Custom function that converts a flow payload into HEX format, and a building block that has the custom signature of WCry, which include the following hashes:

    • 00 00 00 31

    • 4a 6c 4a 6d 49 68 43 6c 42 73 72 00

    • 2b 00 00 00 00 98 07 c0

    The following building block is added: BB: WCry Flow Payload

    Apply WCry Flow Payload on flows that are detected by the Local system. The WCry Flow Payload must also be applied when the flow context is Local to Local, when the destination port is one of the following 445, and when the destination side of the flow has payload data. The flow must match the following AQL filter query:

    FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%00 00 00 31%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%4a 6c 4a 6d 49 68 43 6c 42 73 72 00%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%2b 00 00 00 00 98 07 c0%'

  • The following saved searches are added:

    • WannaCry Events "Destination Host Name" Last 24 Hours in Log Activity

    • WannaCry Events "File Hash" Last 24 Hours in Log Activity

    • WannaCry Events "Hostname" Last 24 Hours" in Log Activity

    • WannaCry Events "URL" Last 24 Hours in Log Activity

    • WannaCry Events "DestinationIP" Last 24 Hours in Log Activity

    • WannaCry Events "Source Host Name" Last 24 Hours in Log Activity

    • WannaCry Events "SourceIP" Last 24 Hours in Log Activity

    • WannaCry Flows Last 24 Hours in Network Activity

Enabling Building Blocks in JSA V7.3.0

In JSA V7.3.0, you must edit the WCry QNI Host, WCry QNI File Hash, and the QNI File_Name building blocks to enable them.

For WCry QNI Host, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the WCry QNI Host building block to open the rule.

  4. Click these flow properties and then add HTTP_Host (QNI) from the list.

  5. Click Submit.

For WCry QNI File Hash, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the WCry QNI File Hash building block to open the rule.

  4. Click these flow properties and then add File_Hash (QNI) from the list.

  5. Click Submit.

For QNI File_Name, use the following steps:

  1. Click >Offenses > Rules.

  2. Select Building Blocks from the Display menu.

  3. Double-click the QNI File_Name building block to open the rule.

  4. Click these flow properties and then add File_Name (QNI) from the list.

  5. Click Submit.

Note

When you update your content pack, you must select Overwrite when the system prompts you with the following message:

This extension is attempting to update entries. Any changes made to the original entries will be lost.

(Back to top)Information about the WannaCry content pack and using real-time feeds. ePub Document

Wanna Cry Real-time Feeds

Use the following information to configure real-time feeds for Wanna Cry in App Exchange.

Use the following information to configure real-time feeds for Wanna Cry in App Exchange.

To receive real-time feeds from the App Exchange Wanna Cry collections after you install the WCry content pack, you must install the Threat Intelligence app from the App Exchange. For more information, see Installing Extensions by Using Extensions Management.

Review the following list to view the required authorization to set up the Taxii feed:

  • You must have an IBM ID to access the App Exchange.

  • Create an authorized service token to authenticate the background polling service that the Threat Intelligence app uses to request data from JSA.

  • To set up a Taxii feed from the App Exchange, you need to create an authentication API key at the following URL: https://exchange.xforce.ibmcloud.com/settings/api

Note

Before you start, click the System Settings icon on the JSA Admin tab and verify that Yes is selected for the Enable X-Force Threat Intelligence Feed setting.

Configuring a Collection Feed

To receive real-time updates from the Wanna Cry collections from the App Exchange, do the following steps after you install the Threat Intelligence app.

  1. On the Admin tab, click the STIX/TAXII Configuration icon.

  2. Click >Add Threat Feed > AddTaxii Feed.

  3. In the Taxii Endpoint field, type the following URL: https://api.xforce.ibmcloud.com/taxii.

  4. Select HTTP basic, for the Authentication Method.

  5. In the Username field, enter the API key that you generated on your profile settings page of the App Exchange.

  6. In the Password field, enter the API password that you generated on your profile settings page of the App Exchange.

  7. Click Discover.

  8. In the Collection field, select XFE Public Collections I follow.

  9. In the Observable Type field, select one of the following types:

    • IPv4 Address

    • File Name

    • File Hash

    • URL

  10. Configure the polling parameters, or leave at the default settings, and then click Next.

  11. Select one of the four new reference sets that were installed with the content pack.

    For example, if you selected IPv4 Address as the observable type, then you select the WCry_IP reference set. If you selected File Name as the observable type, then you select the WCry_FileName reference set. You can also create your own custom reference set.

  12. Click Next, and then click Save.

  13. Go to the App Exchange and search for Wanna Cry collections.

  14. Open the page for your selected collection, and then click Follow to follow this collection.

    For example, you can open the WCry2 Ransomware Outbreak collection, and click Follow, and in the next step, you can poll this collection to update your IPv4 Address reference set.

  15. Go to your JSA and click Poll Now to poll the collection that you want to follow. For example, click Poll Now on the Threat Intelligence Feed that uses the WCry_IP reference set to populate it with the IP addresses that are listed in the WCry2 Ransomware Outbreak collection.

Note

Ensure that you are following the Wanna Cry collections only because if you subscribe other collections, you might get irrelevant data from those collections in your Wanna Cry reference sets.

Advanced Search Examples to Find Specific Hashes in the Payload

You can use the following AQL query examples in JSA Advanced Search to search payloads for the specified hashes:

SELECT sourceip, FORMAT::PAYLOAD_TO_HEX(destinationpayload) from flows where destinationport = '445' and FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%00 31%' last 30 MINUTES

SELECT * from flows where destinationport = '445' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%00 00 00 31%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%4a 6c 4a 6d 49 68 43 6c 42 73 72 00%' and FORMAT::PAYLOAD_TO_HEX(destinationpayload) like '%2b 00 00 00 00 98 07 c0%' last 30 MINUTES

For more information about Wanna Cry, watch the video at: https://www.youtube.com/watch?v=8W_zH-AsNH8&t=2s

Related Documentation