APT IoC feed

The APT feed consists of information about Advanced Persistent Threats that are outcome from ESET research. This feed is an export from the ESET internal MISP server. All the data that are shared are also explained in the APT reports in more detail. The APT feed is also part of the APT reports offering; however, the feed can also be purchased separately.

JSON

Below is a snippet of an APT feed in JSON format.

"Attribute": [

{

"Galaxy": [],

"ShadowAttribute": [],

"category": "Network activity", "comment": "",

"deleted": false,

"disable_correlation": false,

"distribution": "5",

"event_id": "282",

"first_seen": "2022-01-28T08:42:57.000000+00:00",

"id": "143094",

"last_seen": null, "object_id": "59977",

"object_relation": "domain", "sharing_group_id": "0",

"timestamp": "1643710782",

"to ids": false,

"type": "domain",

"uuid":

"21b993a3-fd4a-4ab1-8a3f-1f5d45db7577",

"value": "corolain.ru"

}

"ObjectReference": [],

"comment": "",

"deleted": false,

"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "distribution": "5",

"event_id": "282",

"first_seen": "2022-01-25T14:11:03.000000+00:00",

"id": "59977",

"last_seen": null,

"meta-category": "network",

"name": "domain-ip",

"sharing_group_id": "0",

"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

"template_version":"10",

"timestamp": "1643730789",

"uuid":"a9e5bc0d-eb8f-455d-8e62-c3930fa2447d"

STIX 2.0

Standard STIX2 export from MISP.

•File is the main IoC, and all the other objects are connected to this main IoC. Currently used attributes for this indicator are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

•Detected as gives information about what the object is detected as by ESET. In some cases, there can be multiple detections. Available attributes are:

oSoftware (always ESET)

oSignature (IDS flag) as main IoC

•Includes gives additional information, which, however, does not have to be always present. Available attributes are:

oPE file or macho file or elf file

oType of file indication

oCompilation date

oImphash

oAnd potentially additional metadata

•Connected to objects bring additional information about the network and its IoCs. Each of the objects (URL, domain, IP) can be available separately or also all at the same time.

oURL

▪URL (IDS flag) as main IoC

▪Scheme

▪Query string

▪Resource path

▪Port

▪Comment

oDomain

▪Domain as main IoC

▪Comment

oIP

▪IP address as main IoC

▪Comment

•Dropped by file object is available only sometimes. It is available if the given main file also drops or downloads an additional file. Available attributes are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

•Downloaded from URL object with its accompanying objects are available only sometimes. They are available if there is a trace from which URL given file has been downloaded. Available attributes are:

oURL

▪URL (IDS flag) as main IoC

▪Scheme

▪Query string

▪Resource path

▪Port

▪Comment

oDomain

▪Domain as main IoC

▪Comment

oIP

▪IP address as main IoC

▪Comment

˄˅