matthewdunwoody
commented
3 years ago Hi,
These IOC files are OpenIOC 1.1 real-time indicators. To work with them, you will need 2 things: The OpenIOC 1.1 Editor: https://fireeye.market/apps/211404 The eventitem IOC terms: https://github.com/mandiant/OpenIOC_1.1/blob/master/iocterms/eventitem.iocterms
Install the 1.1 editor and copy the eventitem.iocterms file to: Program Files (x86)\Mandiant\Mandiant IOCe for OpenIOC-1.1\Configuration\IOCTerms\
You should then be set to open and update the files.
If you are a FireEye Endpoint customer, you can also use these scripts in conjunction with the IOCs: Run in Enterprise Search: https://fireeye.market/apps/234555 Add detection to FireEye Endpoint Security: https://fireeye.market/apps/234559
They also have some support in HXTool: https://fireeye.market/apps/294693
Redline does not support OpenIOC 1.1, so you would need to recreate similar rules in the 1.0 editor in order to use them in Redline (https://fireeye.market/apps/238651).
DARTHRATER
Mandiant gives the error: unencapsulated OpenIOC format Redline tells me the IOCs are malformed.