The updated release of IOC Editor has been a long time coming, but it is well worth the upgrade. There have always been grumblings about IOC Editor, but lately those grumblings have been growing louder. The noise eventually got so loud that even my noise canceling headphones couldn't silence it. I could have just turned up the music a little more, but instead I decided to grab the code and fix some of the issues once and for all.
Some of the changes to IOC Editor were minor (Ctrl-X no longer exits the program), some were major (check out the new Properties panel where commenting per IndicatorItem is now available), and of course I discovered some bugs that I didn't even know existed (No, I didn't cause them with my other changes). Long story short, there are a lot of new features and improvements in this version.
Make sure you pay attention to what's different and any messages that pop-up as the wording and options may have changed.
In this blog post, I am going to touch on a couple of new features and improvements. If you would like to see the full list, please check-out the release notes. Fair warning, there is a lot to read as I did get a bit fix happy.
Some of the New:
This is still a bit of a work in progress, but there is now a place to set some of the defaults for IOC Editor.
Figure 1 shows the preferences that are currently available in the options dialog. You can set the default author (we typically use the e-mail address to identify the author), and set whether you want to warn on Deleting or Pruning.
Now before we go too far, let me quickly discuss the difference between deleting and pruning:
Deleting will only delete the selected item, whether it's an individual item, or a logic item (AND, OR). If you delete a logic item, the items that are below it will be bumped up a level.
Figure 2 shows what the Indicator of Compromise (IOC) looks like before deleting the AND. Figure 3 shows what the IOC looks like after deleting the AND. Notice that the items that were under the AND were moved up a level and are now under the top OR.
There is no problem with this IOC, but what happens if you were to delete the AND in the following IOC?
If you delete the AND that is shown in Figure 4, you will end up with the "File Name is not good_file.exe" under the top OR. If you were to search your enterprise for all files that were not "good_file.exe", that would be very, very bad.
Now, onto pruning. The Prune option is only available for logic items (ANDs and ORs) and will remove the entire logic branch.
Going back to the example shown in Figure 4, if you Prune the selected AND, the AND, in addition to all items under it, will be deleted.
You can see in Figure 5 that the only items that remain were directly under the top OR.
Now that we have that cleared up, let's continue with the rest of the cool new stuff in IOC Editor.
Everybody loves keyboard shortcuts; the less we have to type-out, the better. With that in mind, I've gone through and added shortcuts where appropriate. Below is a list of the shortcuts currently available in the editor:
Add Buttons (AND, OR, Item)
The buttons to add an AND, OR, or Item have been moved to a menu bar above the definition area. This takes up less space and allows for future expansion.
If you just click the button, the "Item" button remembers what you recently added. It also has a drop down with a list of terms (same as right-clicking in the definition area and selecting "Add Item.")
The properties panel is an area to the right of the definition area that will show all pertinent details of the selected item. By default, the properties panel is not shown. To display it, either click the button or use the Ctrl+P keyboard shortcut.
For those who have used Visual Studio before, the properties panel will look very familiar.
Figure 7 shows the details that are given for a selected item. Not all of the items are editable from here, but it at least gives you a view into what's going on behind-the-scenes.
You can also edit/add comments for the item. With this upgrade, you can add a comment to individual items, such as an MD5, that lets someone know what file it actually goes with.
In addition to the new features, there were a number of improvements (aka bug fixes).
Unsaved Changes Warning
An important change was the rewording of the unsaved changes dialog box that better aligns with other standard Windows applications.
NOTE: Read this carefully as this has changed from the previous version of IOC Editor.
Figure 8 shows the new wording presented when exiting IOC Editor with unsaved changes.
- Yes - saves changes and exits
- No - does not save changes and exits
- Cancel - cancels the exit process and does not save changes
The Description field has been tweaked a bit, and now allows for proper display of carriage returns and tabs. You now don't have to deal with descriptions that look like this:
"This malware is evil⌷Why would anyone have this⌷Report Immediately"
Too Many More
As I stated earlier in this post, I went a little bug fix crazy. If you're interested in a full list of bug fixes, please click here.
There are still plenty of other features and enhancements that I would like to make to IOC Editor, such as ioc_lint integration, additional options, etc. I'm also looking forward to your feedback on the current updates/additions.