cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
jrybicki
jrybicki
Level 8
Report Inappropriate Content
Message 1 of 2
‎08-23-2018 10:39 AM

McAfee ESM and ePO TIE Hash Values

I just found something totally ridiculous in the SIEM and figured I'd share it.  I was looking at events in the SIEM from ePO and noticed the sha1 and sha256 file hashes provided from ePO (mainly from TIE) have a 0x in the front of every value because it is a hexadecimal. Unfortunately, normal STIX feeds along with other data sources (like Cisco Firepower) do not normally have a 0x in front of their values, making correlation impossible without customizing the parser to add a 0x in the sha1 and sha256 fields. Further complicating matters.... ePO events show sha values in mixed or lower case.  In feeds like US-CERT, the values imported via the ESM Cyber Threat Feed feature, STIX or TAXII values are provided (without the 0x) and tend to be in upper case.  I just tested attempting to find a TIE hash after converting a known TIE file sha1 hash into upper case and failed to find it in the ESM (because the search is case sensative).
 
This is a big problem because I have several correlation rules looking for hash vales for things like HIDDEN COBRA files, and this effectivly breaks those rules since there is no way in a correlation rule to make things case insensative!

Now we have three issues:
 
  1. Any BackTrace would miss SHA256 and SHA1 values provided by ePO because they would not have a 0x in the SHA256 or SHA1 fields
  2. If TIE were to see something like a defined HIDDEN COBRA hash, it wouldnt cause the correlation rule to alert because the values defined in the watchlist dont have a 0x in them
  3. Other data sources like a Cisco Firepower IPS (which also displays sha256 values but not in the correct field!) would not properly correlate with TIE events because it doesnt have a 0x in the hash value
     
    In order to fix the issue I have to:

    1. Alter the Firepower Parser to place the SHA256 value in the SHA256 field
    2. Alter the FIrepower Parser to append a 0x before the SHA256 value in the SHA256 filed
    3. Alter all of the values in my various SHA256 and SHA1 watchlists to have a 0x before each line item
    4. Convert all of the values in the SHA256 and SHA1 watchlists to lowercase 
    5. Hope that all SHA256 and SHA1 values provided by my data sources (including ePO) are in lowercase
2 people had this problem.
Reply
1 Reply
kmc
kmc
Level 12
Report Inappropriate Content
Message 2 of 2
‎09-23-2018 11:11 PM

Re: McAfee ESM and ePO TIE Hash Values

Hi @jrybicki

Have you got solution parcer to convert it into lower case?

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator