ESET Online Help

Search
Select the topic

APT IoC feed

The APT feed consists of information about Advanced Persistent Threats that are outcome from ESET research. This feed is an export from the ESET internal MISP server. All the data that are shared are also explained in the APT reports in more detail. The APT feed is also part of the APT reports offering; however, the feed can also be purchased separately.

JSON

Below is a snippet of an APT feed in JSON format.

STIX 2.0

Standard STIX2 export from MISP.

File is the main IoC, and all the other objects are connected to this main IoC. Currently used attributes for this indicator are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

Detected as gives information about what the object is detected as by ESET. In some cases, there can be multiple detections. Available attributes are:

oSoftware (always ESET)

oSignature (IDS flag) as main IoC

Includes gives additional information, which, however, does not have to be always present. Available attributes are:

oPE file or macho file or elf file

oType of file indication

oCompilation date

oImphash

oAnd potentially additional metadata

Connected to objects bring additional information about the network and its IoCs. Each of the objects (URL, domain, IP) can be available separately or also all at the same time.

oURL

URL (IDS flag) as main IoC

Scheme

Query string

Resource path

Port

Comment

oDomain

Domain as main IoC

Comment

oIP

IP address as main IoC

Comment

Dropped by file object is available only sometimes. It is available if the given main file also drops or downloads an additional file. Available attributes are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

Downloaded from URL object with its accompanying objects are available only sometimes. They are available if there is a trace from which URL given file has been downloaded. Available attributes are:

oURL

URL (IDS flag) as main IoC

Scheme

Query string

Resource path

Port

Comment

oDomain

Domain as main IoC

Comment

oIP

IP address as main IoC

Comment