Indicators of Compromise

Top 15 IoCs

Below are the Top 15 Indicators of Compromise from DarkReading that I’ve compressed as a quick reference guide.

1. Unusual Outbound Network Traffic
   • analyse traffic leaving the perimeter
   • compromised systems often call home to C2
2. Anomolies in Privileged User Account Activity
   • keep an eye on unusual account behaviour
   • accounts with new/unauthorised privs/perms
3. Geographical Irregularities
   • logins/access patterns
   • account logging in from multiple IPs in a short period of time
   • geolocation tagging
4. Other Login Red Flags
   • failed logins for accounts that don’t exist
   • consecutive failed logins
   • account lockouts
   • logins after hours
5. Swells in Database Read Volume
   • attacker has access and is looking for the crown jules
   • successful SQLi
6. HTML Response Sizes
   • much larger than normal response
   • may indcate successful file disclosure, RCE, SQLi etc.
7. Large Numbers of Requests for the Same File
   • attacker trying different web payloads/manipulating requests
   • Suspicious to pages like login.php, join.php etc.
8. Mismatched Port-Application Traffic
   • attackers take advantage of obscure ports to bypass web filtering
   • C2 traffic can be masquerading as normal application behaviour
   • DNS requests over port 80 etc.
9. Suspicious Registry or System File Changes
   • establishing persistance through registry changes
   • changes in system files/configurations
   • create a baseline when dealing with registry based IoCs
10. DNS Request Anomalies
    • C2 traffic and DNS exfil can be very loud
    • spike in DNS requests from a specific host
    • patterns of DNS requests to external hosts
    • compare against geoIP and IP reputation data
11. Unexpected Patching of Systems
    • attacker locking down a system so others can’t pwn
12. Mobile Device Profile Changes
    • unusual changes to mobile users’ device settings
    • watch for replacements of normal apps
    • new configuration profiles
    • mitm, social engineering, etc.
13. Bundles of Data in the Wrong Places
    • attackers aggregate data at collection points
    • exfil data from system at these collection points
    • files in unusual locations should be scrutinized
14. Web Traffic with Unhuman Behaviour
    • 20-30 browser windows open simultaneously
    • click-fraud malware families may generate noisy volumes of web traffic in short bursts.
15. Sings of DDoS Activity
    • DDoS used as smokescreens to camouflage other attacks.
    • Signs of DDoS
      • slow network performance
      • unavailability of websites
      • firewall failover
      • back-end systems working at max capacity for unknown reasons
    • don’t just worry about those immediate problems
    • DDoS attacks overload security reporting systems
      • IPS
      • IDS
      • SIEM
    • review DDoS attacks for data breach activity

Symptoms

Network Symptoms

• Bandwidth utilisation
  • attackers can hide data exfil in peak times
  • hard to detect in typical network chatter
  • analyse endpoints and connection directionality
• Beaconing
  • behaviour can be detected in two ways
    • periodicity
    • destination
  • malware can randomise beacon periods/dest address
  • brief connections
  • endpoint analysis
    • communication regularity with other hosts
• Irregular Peer-to-Peer Communication
  • unprivileged accounts connecting to other hosts
  • privileged accounts connecting from regular hosts
  • multiple failed remote logins
  • context matters
  • does user have legit reason to connect from host to resource?
• Rogue Devices
  • know what’s on your network
  • hardware and software asset management/asset awareness
  • hardware asset inventory
  • NAC ensures device authenticated, scanned and appropriate
  • NAC allows implementation of policies
• Scan Sweeps
  • nmap/ping sweeps etc.
  • one host generating large amount of connection attempts to multiple nodes
  • pay attention to ARP messages
  • scan sweep can generate a lot of ARP queries

Host Symptoms

• Running Processes
  • “malware can hide, but it must run”
  • ps, top, tasklist /v, task manager
  • know what is normal
  • baseline hosts and make not of normal processes on a healthy host
  • attackers can use names similar to normal processes
  • note CPU cycles
• Connections
  • malware can utilise network sockets
  • netstat -ano
  • netstat -v
  • netstat -nap
• Memory Contents
  • Access Data’s FTK Imager
  • Linux Memory Grabber
  • Volatility Framework
• File System
  • evidence of actions often left
  • system/configuration file changes
• Unauthorized Software
  • illicit binary executables
  • possible to bypass signature and behavioural detection systems
  • list authorised programs each computer is allowed to run
  • white/blacklisting
  • list software installed on every computer
  • software asset inventory
• Unauthorized Changes
  • malicious DDLs
    • require elevated privs
  • logging of access/changes in files/sensitive folders
  • hashing important files that aren’t meant to be changed
  • Tripwire
  • object access auditing
    • event for read, modification, creation and deleting of file in audited space
  • Windows Event Forwarding
  • Sysmon
  • Rsyslog
• Data exfiltration
  • staging locations for data to be sent out
  • data build up in random places
  • exfil attempts to mimic accetable communications (web, mail, dns)
  • can be encrypted
  • connection looks legit
    • volume and endpoint will not
  • set alerts to trigger for large transfers
  • NetFlow analysis
  • DLP
• Resource consumption
  • memory
  • CPU cycles
  • disk space
  • network bandwidth
  • when/where would spikes occur normally?
  • what are they indicative of?
• Unauthorized Privileges
  • odd behaviour for privileged account
  • monitor activities
  • prioritise protection of info assets
    • contain suspicious user/system
    • isolate any active sessions
    • disable/suspend suspected account if required