These real-time IOCs are designed to supplement FireEye Endpoint Security’s production indicators, for environment-specific detection and testing, like tests based on MITRE’s ATT&CK framework. Most of these IOCs will require substantial tuning to use in a production environment, as they will alert on legitimate activity. Some IOCs may work well, depending on the practices of the organization, for instance the sdelete and psexec IOCs. These IOCs should be used as examples, starting points for tuning, or for testing. They should not be bulk uploaded to a production controller, as is.
These IOCs should be viewed and edited using the OpenIOC 1.1 Editor (v3.1.4 and above).
These IOCs can be uploaded to the FireEye Endpoint Security controller using an API tool such as the Endpoint Security IOC Uploader. They can also be used with Enterprise Search, using HXTool, or the IOC Enterprise Search Script (v1.1.0 or above).