cancel
Showing results for 
Search instead for 
Did you mean: 

How to import File and Certificate Reputations into TIE

Introduction

One of the great things about McAfee Threat Intelligence Exchange (TIE) is that it allows you to manipulate Reputations for files and certificates. This allows you to adjust settings for YOUR organization and not rely on just global information.

For example, an in-house custom application can be added (and trusted) manually. Or the Certificate used by your developers can be added.

On the other end, you can react very quickly to emerging threads by importing reputations that you have gathered (for example from IOC and STIX files or from a sandbox analyzer) and setting them as known malicious files. This process can also be scripted and automated. Below are descriptions for the different import methods provided by TIE.

 

The examples below all show File Reputation imports as they are the most common. All described options also apply to certificate Reputations in the same way.

 

 

Manually Importing a single Reputation

 

TIE gives you and easy and fast way to import single Reputations (probably used most often).

Inside of ePO, navigate to TIE Reputations >> File Overrides >> Actions >> Import Reputations and then enter your Reputation Information

 

01-Single-Import.png

 

 

 

Manually Importing multiple Reputations via XML

 

Inside of ePO you can import file Reputations in bulk via the UI.

Navigate to TIE Reputations >> File Overrides >> Actions >> Import Reputations and then browse to your XML file containing the Reputations

 

02-XML-Import.png

 

Creating the XML File

 

To create your XML file, you need the following elements:

<FileName> = Optional file name

<SHA1Hash> = Required sha1 hash

<MD5Hash> = Required md5 hash

<ReputationLevel> = Required numeric reputation value (see table below)

<Comment> = Optional comment

 

 

Possible Values for the Reputation Level

 

Reputation setting

Numerical value
Known trusted 99
Most likely trusted 85
Might be trusted 70
Unknown 50
Might be malicious 30
Most likely malicious 15
Known malicious 1
Not set 0

 

 

Example XML File

 

 

<?xml version="1.0" encoding="UTF-8"?>

 

<TIEReputations>

 

    <FileReputation>

 

        <FileName>HackIt.exe</FileName>

 

        <SHA1Hash>0x98AF3632E17677A8A23739F720B1A2F215CB8836</SHA1Hash>

 

        <MD5Hash>0xDEF30CBEA881149C2AFFDF9A059FB751</MD5Hash>

 

        <ReputationLevel>15</ReputationLevel>

 

    </FileReputation>

 

    <FileReputation>

 

        <FileName>trayMan.dll</FileName>

 

        <SHA1Hash>0x7F618396A910908019B5580B4DA9031AF4A433CA</SHA1Hash>

 

        <MD5Hash>0xB2B3DAE040F6B5AE1DF52B0CD7631A18</MD5Hash>

 

        <ReputationLevel>15</ReputationLevel>

 

        <Comment>Comment for ALTTAB</Comment>

 

    </FileReputation>

 

    <FileReputation>

 

        <FileName>cabinet.dll</FileName>

 

        <SHA1Hash>0x98AF3632E17677A8A23739F720B1A2F215CB8837</SHA1Hash>

 

        <MD5Hash>0xDEF30CBEA881149C2AFFDF9A059FB759</MD5Hash>

 

        <ReputationLevel>15</ReputationLevel>

 

        <Comment>Comment for cabinet.dll</Comment>

 

    </FileReputation>

 

    <FileReputation>

 

        <SHA1Hash>0xD182CF4C0F7550064BAA3A825E86DE8DA1D3290B</SHA1Hash>

 

        <MD5Hash>0x36060A75D9EDB1AEF0825988C7DD8511</MD5Hash>

 

        <ReputationLevel>15</ReputationLevel>

 

        <Comment>Comment for PORTABLEDEVICEAPI</Comment>

 

    </FileReputation>

 

    <FileReputation>

 

        <SHA1Hash>0xCAC3CB1EFE7FD53A9AC2C8825DACCC22EDFDFED7</SHA1Hash>

 

        <MD5Hash>0xC693E642ACFBDD76433AF6BE3C3EEE6F</MD5Hash>

 

        <ReputationLevel>15</ReputationLevel>

 

        <Comment>Comment for PORTABLEDEVICECONNECTAPI</Comment>

 

    </FileReputation>

 

</TIEReputations>













 

 

XML File Generator

 

To assist with the creation and formatting of the XML file, please find attached (at the bottom) the tie_importer.html file. This tool uses javascript in your local browser (store the file and open it in your favorite browser) to assist in formatting multiple Reputations in the correct XML syntax.

 

04-tie_importer.png

 

 

 

Importing Reputations via the ePO web API

 

The ePO web API allows for automated and scripted aproaches to setting Reputations. For example the McAfee SIEM could use this API to automatically import file reputations into TIE via a script (see python example below).

 

More details about the ePO web API can be found in the McAfee ePO Web Scripting Guide

 

The command used to set TIE reputations via the API is tie.setReputations [fileReps] [certReps]

This command will take file or certificate information as parameters.

 

The parameters need to be formatted as a JSON string. As in the XML import, the sha1, md5 and reputation level are required fields.

Note that the sha1 and md5 hash are base64 encoded binary representations of the values (not ASCII like in the manual import examples!). In the python example below, you can see how the ASCII hash values are decoded as HEX first, before they are base64 encoded and submitted.

 

JSON fields:

name: Optional file name

sha1: Required base64 encoded sha1 hash

md5: Required base64 encoded md5 hash

reputation: Required reputation as numeric value (see table above)

comment: Optional comment

 

Example JSON string of file reputation(s):

[{"sha1":"kioq8sbc2dlBtbZQqYiQCSDJ7KU=","md5":"S1w4yxbZvfoMy+yoRkzcQQ==","reputation":"1","comment":"Test Comment","name":"test.exe"}]

 

Multiple Reputations can be imported at once by combining multiple JSON strings with a comma.

Example 2 JSON string of file reputations combined:

[{"sha1":"frATnSF1c5s8yw0REAZ4IL5qvSk=","md5":"8se7isyX+S6Yei1Ah9AhsQ==","reputation":"99"},{"sha1":"d3HtjhR0Eb3qN6c+vVxeqVVe0t4=","md5":"V+0uApv5yjk4PSpnHvT7UA==","reputation":"99"}]

 

 

 

Python Example Script

 

 

 

import mcafee

 

import sys

 

import base64

 

 

 

ePOIP='10.10.55.23'

 

ePOUser='admin'

 

ePOUserPwd='MyPassword'

 

 

 

reputation = '1'

 

 

 

#Possible Reputation Values (Need to provide numeric value)

 

#Known trusted          99

 

#Most likely trusted    85

 

#Might be trusted       70

 

#Unknown                50

 

#Might be malicious     30

 

#Most likely malicious  15

 

#Known malicious        1

 

#Not set                0

 

 

 

sha1input = sys.argv[1]

 

md5input = sys.argv[2]

 

 

 

mc = mcafee.client(ePOIP,'8443',ePOUser,ePOUserPwd,'https','json')

 

 

 

sha1base64 =  base64.b64encode(sha1input.decode('hex'))

 

md5base64 =  base64.b64encode(md5input.decode('hex'))

 

 

 

repString = '[{"sha1":"' + sha1base64 + '","md5":"' + md5base64 + '","reputation":"' + reputation + '"}]'

 

 

 

print 'Adding to TIE Server: ' + repString

 

 

 

mc.tie.setReputations(repString)

 

 















 

 

Usage: python addTieReputation.py <sha1hash> <md5hash>

 

03-python-example.png

 

 

 

Other useful tools

 

Especially during PoC and testing cases, you often need a quick way to get the sha1 and md5 hash required for the imports above. There are many hash tools out there (a simple google search will give you plenty of options), but if you need something right now, here is an online tool that does the trick (not endorsed in any way!): Online MD5|SHA1 Hash Generator For File And Text

 

 

.

Labels (1)
Tags (2)
Attachments
Contributors
Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 01:22 PM
Updated by: