Identify Indicators of Compromise using Endpoint Security

In this installment of the Tips and Insights series, Dan Smithson describes how FireEye technology can be leveraged to identify indicators of compromise from FireEye’s intel pool.

Hello my name is Dan Smithson and I am a System Engineer with FireEye. Today we are going to review how the FireEye technology can be leveraged to identify indicators of compromise from FireEye’s intel pool. We’re going to start from the main dashboard of the 4.5 version of our Endpoint Security offering. From here you can see that there are a number of hosts that have exploits that have been detected as well as some other options like malware and other forms of alerts like indicators of compromise. To drill into this to see specifically the alerts we’re going to click on the alerts view. And we’regoing to see a long list of all of the different alerts regardless of which system they’re tied to. For purposes of today’s illustration and we’re going to take a look at the alert types specifically focused on indicators of compromise which would represent components from our intel pool at FireEye. If I then proceed to click on this option here you’ll see that it takes me into the details of that victim as well as the other things that occurred on that endpoint including this specific alert. The intel that was gathered is actually reflected within the details. As I scroll down you will actually see the documents that were found. You will see up on the left side all of the different indicators and attacks that occurred. And if Iclick on this one here for instance you’re going to see we saw suspicious power shell command sequences. We saw suspicious access of environment variables by power shell. Malicious power shell command lines. Potential power shell obfuscation attempt detected. Possible powerful obfuscation through variable management. As well as power shell launched by Microsoft Office applications. These are examples of things that we have seen in terms of the processes, tools tactics and procedures used by malicious groups out in the wild. This is an example of how the intel from FireEye is being applied in order to help narrow down the view and simplify your experience. If we drill in further we can take a look at the triage package and we can see all of the detailed information. Here it displays in swim lanes the various subcategories of information that took place. We see some exploits occurred. Processes occurred. Registry keys were changed. As well as files were created and or destroyed. We can see the specific processes that were alerting against as well as any descendant or parent processes involved. As we scroll down. You can actually see the specific processes the registry keys that were created as well as the specific files themselves that were manipulated. And as you can see as we go down each of these data points actually includes an exploits badge. So that allows us to click on it and see the specific details around that. We can also mark that as a false positive which allows us to improve the quality and efficacy of our alerts. And that’s how you would find FireEye IOC’s from our Endpoint Security offering. Thanks for watching. Stay tuned for more tips and insight videos.

Scroll to Top