5 - Indicators Of Comprise (IoC) Analysis
Staging Areas and Data Exfiltration
Adversaries may collect data in a central location or directory prior to removing it. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. To detect, scan host file systems for file archive, compression, and encryption types such as RAR or gzip that are atypical of normal end-user file creation on Windows systems. Also look for files in system folders, such as the root of the Recycle Bin or System Volume Information, or for the use of ADS.
Rogue Device IoC: Servers
An adversary may also try to set up a server as a malicious honeypot to harvest network credentials or other data. To succeed in compromising authorized services, the attacker will have to find some way of diverting traffic, usually either through ARP poisoning or corrupting name resolution.
Data Exfiltration IoC: HTTP requests to database-backed services.
An adversary may use SQL injection or similar techniques to copy records from the database that they should not normally have access to. Injection attempts can be detected by web application firewalls (WAF). Other indicators of injection-style attacks are spikes in requests to a PHP files or other scripts, and unusually large HTTP response packets.
Unauthorized Change/Hardware IoCs
An attacker may try to change how a device or application behaves to exploit some sort of vulnerability or to open a new vector through which to initiate an attack. For example, the attacker may open ports or start services on a workstation, or add a directory exclusion to scanning software, which enables them to take remote control of the host.
Bandwidth Consumption IoCs
Can either be measured as the value of bytes sent or received or as a percentage of the link utilization. In a distributed reflection DOS (DRDoS) or amplification attack, the adversary spoofs the victim's IP address and tries to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth. A similar type of amplification attack can be performed by exploiting other protocols.
Rogue Device IoC: Smart appliances
Devices such as printers, webcams, and VoIP handsets have all suffered from exploitable vulnerabilities in their firmware. If use of these assets is not tracked and monitored, they could represent a potential vector for an adversary. Computing functionality and networking is being built into many types of household appliances, including TVs and refrigerators, and it is possible that these are being installed in company premises without oversight.
Mobile File System Extraction
If a copy can be made of unencrypted data, you can use file system tools to search for files, strings, and media. These tools can show the partition and directory layout for Android and iOS, and identify locations that store apps, user data, and logs. Note that many apps use SQLLite databases rather than individual files to store logs and user-generated data.
Persistence IoC: Unauthorized Scheduled Task
If a system service is acting strangely due to malicious tampering, you may be able to analyze its behavior using Task Scheduler more easily. Task Scheduler may also be able to capture the history of non-system services, like malware that installs itself as its own service. In Linux, scheduled tasks are managed as cron jobs. The crontab -l command shows the current entries.
Irregular Peer-to-Peer Communication Intrusion IoCs
On most networks, the predominant type of user traffic is to and from clients and servers. When you generate traffic maps, there will be obvious, regular flows between numerous clients and a smaller number of servers. When you see workstation endpoints establishing sessions with one another or with Internet hosts, such irregular peer-to-peer communication may be cause for suspicion, especially if the traffic flows include high bandwidth consumption or occur at odd times of the day. An adversary using "live off the land" techniques is highly likely to use the Server Message Block (SMB) protocol (Windows File/Printer sharing) for communications.
Unauthorized Privilege IoCs
Once an exploit has been launched, one of the first objectives of an attack is typically to provide the attacker with extensive access to the exploited system. A privilege escalation technique allows the attacker to obtain access to additional resources or functionality that the current user account would not normally have. One of the most common scenarios is when a normal user can exploit some vulnerability on a system to gain administrator or root-level privileges.
Anomalous Activity IoC: Service Defacement
One of the most overt and definite signs of a compromise is when a website is defaced. Attackers may exploit SQL injection weaknesses or gain control of the web server itself to alter the site's presentation. Most defacements aren't very subtle, as the attacker usually wants their work to be recognized. Some defacement attacks are more subtle, however, and may simply sneak in an ironic modification of text or an image that isn't easily noticeable. These types of defacement attacks are meant to confuse users into believing that the organization is responsible for the offending material rather than some malicious hacker.
The Volatility Framework (volatilityfoundation.org)
Provides an open-source memory forensics tool. Included on forensics VM distributions, such as KALI (tools.kali.org/forensics/volatility) and the SIFT workstation (digital-forensics.sans.org/community/downloads) from SANS. Has many different modules for analyzing specific elements of memory. If you only want to retrieve browser history information from a memory dump, then you can run a browser module; if you want to see a history of commands run at the command prompt, then you can use the command module; and so on.
Introduction of New Account IoCs
Rather than using a code-based exploit, creating a rogue account presents an opportunity for an APT to maintain access. On a system with hundreds, or maybe thousands of accounts, any one account can easily get lost in the shuffle. With this rogue account in place, the attacker may be able to remote into the system and access sensitive information. If the rogue account has sufficient privileges, the APT may be able to change or delete files
Persistence IoCs
Refers to the mechanism by which malware code is executed again if the user logs off, if a different user logs on, or if the infected host is restarted. Two of the principle mechanisms are the Registry and scheduled tasks
Rogue Device Detection: Packet sniffing and traffic flow
Reveal the use of unauthorized protocols on the network and unusual peer-to-peer communication flows.
What type of evidence can be retrieved from system memory analysis?
Reverse engineer the code used by processes, discover how processes are interacting with the file system (handles) and Registry, examine network connections, retrieve cryptographic keys, and extract interesting strings.
Rogue Device IoC: Software
Rogue servers and applications, such as malicious DHCP or DNS servers, may be installed covertly on authorized hardware.
Rogue Device Detection: NAC and intrusion detection
Security suites and appliances can combine automated network scanning with defense and remediation suites to try to prevent rogue devices accessing the network.
Common Protocol and Nonstandard Port Usage IoCs
Some malware has been known to use certain ports, but unfortunately there's no definitive or comprehensive list. Malware writers easily adapt and change how their software communicates. Still, certain ranges of ports are more likely to indicate a compromise. The dynamic and private range (49152-65535) can't be registered with the IANA and is typically used by clients for temporary communication sessions with servers. If an unknown open port in this range appears constant on a host, it may indicate a channel that's carrying malicious traffic.
What steps would you take to investigate irregular peer-to-peer communication?
Start an incident response ticket and log all actions taken. Identify the IP addresses involved. On a LAN, work out the identity of each host and the accounts and services running on them. On the Internet, use IP reputation services and geolocation to identify the host(s). Raise the logging and packet capture level to monitor the communications. Try to identify the traffic—if it contains sensitive data, consider closing the channel to prevent further release of information.
Application Log IoC: HTTP Access Logs
Status code of a response can reveal quite a bit about both the request and the server's behavior. Codes in the 400 range indicate client-based errors 500 range indicate server-based errors. For example, repeated 403 ("Forbidden") responses may indicate that the server is rejecting a client's attempts to access resources they are not authorized to. A 502 ("Bad Gateway") response could indicate that communications between the target server and its upstream server are being blocked, or that the upstream server is down.
Application Log IoC: SQL Event Logs
Structured Query Language (SQL) databases can be configured with multiple types of logging and alerting functionality. The server itself generates an event/error log. Like an OS system log, this records events with fields like date, time, and the action taken. Normal actions can include server startup, individual database startup, database cache clearing, and more. SQL server logs also record error events, like databases not starting or shutting down unexpectedly. Can also be configured to audit access attempts Other than the date, time, and user who sent the query, these logs also record: • The query operation performed. • The schema associated with the operation. • The object of the query.
Your firewall log shows that the following packet was dropped—what application protocol was the sender trying to access? IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=172.16.0.192 DST=192.168.0.22 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4018 DF PROTO=TCP SPT=2584 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
The destination port (DPT) is 135, which is Microsoft Remote Procedure Call (RPC). This advertises what RPC services are available in a Windows environment.
DDoS Mitigation
The key to repelling a sustained attack will lie in real-time analysis of log files to identify the pattern of suspicious traffic and redirecting that to a black hole or sinkhole. You can use geolocation and IP reputation data to shun suspicious traffic. Other approaches are to aggressively close slow connections by reducing timeouts on the affected server and make use of caching and back-end infrastructure to offload processing to other servers.
Data Exfiltration IoCs
The malicious transfer of data from one system to another. This can be mitigated through strong encryption of sensitive data, it may not always be feasible for an organization to ensure that every potential point of data undergoes encryption. What's more, an attacker who gains access to administrative or other privileged credentials may be able to decrypt that data
Rogue Device IoC: Virtual machines
The risk from rogue servers can be particularly high in a virtualized environment.
Data Exfiltration IoC: Other overt channels, such as FTP, IM, P2P, email, and so on.
These may be protected with encryption to disguise the contents. Again, this might involve the use of compromised accounts on consumer services (Outlook.com, Gmail, and so on).
Rogue Device IoCs
This is any unauthorized piece of electronic equipment that is attached to a network or assets in an organization. A USB thumb drive may be attached to a web server to siphon sensitive data. An extra NIC or Wi-Fi adapter may be installed on an employee's workstation to create a side channel for an attack. An employee's personal smartphone may be connected to the network, exposing the network to malware. The risk from rogue devices is a major reason why you should have an inventory of all devices in your organization.
Network Traffic Spike IoCs
This is diagnosed by comparing the number of connection requests to a baseline. An unexpected surge in traffic from Internet hosts could be a sign of an ongoing DDoS attack. Other indicators are excessive numbers of TIME_WAIT connections in a load balancer's or web server's state table, plus high numbers of HTTP 503 Service Unavailable log events.
Mobile Manual Data Extraction
This means using the device UI to scroll through settings and app screens. This process should be recorded on video to prove that no changes are being introduced.
Rogue Device Detection: Network mapping/host discovery
Unless an OS is actively trying to remain unobserved (not operating when scans are known to be run, for instance), enumeration scanners should identify hosts via banner grabbing/fingerprinting. Finding a rogue host on a large network from a scan may still be difficult.
Mobile Data Collection
Unlike a typical PC or laptop, there is no single storage device to remove from the mobile and attach to acquisition hardware. Data is stored on flash memory chips soldered to the system board, and access to the data on the chips is intended to be fully mediated by the mobile device's bootloader and operating system, which will typically enforce access control via some sort of lock code or biometric authentication.
Which two main classes of attack would you suspect if you observe a bandwidth consumption IoC from a client workstation on the local network to a host on the Internet?
You are most likely to suspect a data exfiltration attack, but it is also possible that the host has been infected with a bot and is being used for DDoS or spam.
What are the main types of IoCs that can be identified through analysis of the Registry?
You can audit applications that have been most recently used (MRU) and look for use of persistence mechanisms in the Run, RunOnce, and Services keys. Another common tactic for malware is to change file associations via the Registry.
ps
list the process running on a Linux system
pstree
list the processes running on a Linux system in a tree like format
Application Log IoC: DNS Event Logs
A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence, such as: The types of queries a host has made to DNS. A list that can be searched for either IP addresses or domains to identify computers that are in communication with suspicious sites. Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.
tasklist
A command-line version of Task Manager, displaying memory usage, the state of running threads, a process tree, and individual operations for each process. taskkill can be used to terminate suspect processes.
Covert Channels: Storage versus Timing Channels
A covert storage channel includes one process writing to a storage location and another process reading from that location. A covert timing channel includes one process altering system resource so that changes in response time can signal information to the recipient process. Some usage of covert channels combines both aspects of storage and timing.
C&C Attack Channel: Internet Relay Chat (IRC)
A group communication protocol. _________ networks are divided into discrete channels, which are the individual forums used by clients to chat. With __________ it is easy for an attacker to set up an IRC server and begin sending interactive control directives to individual bots connected to the __________ server. Despite its popularity in years past, use of _________ as a C&C channel is on the decline, as is __________ use in general. __________ traffic is relatively easy for administrators to detect, and many organizations have no use for this protocol, so they simply block all such communications.
Why might a host-related IoC manifest as abnormal OS process behavior rather than as a malicious process?
A malicious process is relatively easy to identify. Advanced malware disguises its presence using techniques such as process hollowing and DLL injection/sideloading to compromise legitimate OS and application processes.
Memory Overflow
A means of exploiting a vulnerability in an application to execute arbitrary code or to crash the process (or with an ongoing memory leak to crash the system). Each process has an area of memory allocated to write data to (called the buffer). A successful exploit causes data to overflow the buffer when executing a function and overwrite an adjacent buffer area or adjacent code. The goal of an exploit is usually to overwrite the return address of the function so that it points to the attacker's code rather than the original process.
Rogue Device IoC: Network taps
A physical device might be attached to cabling to record packets passing over that segment. Once attached, taps cannot usually be detected from other devices inline with the network, so physical inspection of the cabled infrastructure is necessary.
Sysinternals
A suite of tools designed to assist with troubleshooting issues with Windows.
Netcat
An open-source tool that can be used to demonstrate t techniques as RAT malware.
Covert Channels: Steganography
Another technique for hiding data for exfiltration. An attacker might be able to evade intrusion detection and data loss countermeasures if they hide information within images or video. Modern tools hide digital information so well that the human eye cannot tell the difference; likewise, computer programs not equipped for steganographic analysis may also fail to spot the hidden information. For example, data loss countermeasures may inspect all outgoing packets for any signatures that match a database of known file signatures. If the attacker simply transmitted a sensitive document by itself, the countermeasures would identify that image and shut down the connection. However, if the attacker embeds the sensitive document in a benign image, the data loss system may let the transmission continue unabated. The system won't see a difference, nor would an administrator if they decided to inspect packets manually.
Service Interruption IoCs
Application services may fail to start or stop unexpectedly for any number of reasons. Keep in mind that service disruption is difficult to diagnose and is often mistakenly thought to be an IoC when it may in fact be a maintenance issue. That said, service interruption will often lead you to suspect some cybersecurity cause.
Drive Capacity Consumption IoC
Applications and processes that consume too much drive capacity may be malicious. Malware may be caching files locally for exfiltration over the network or via USB. Malware may also be generating substantial logs if it is performing network scanning. Disk utilization tools will typically scan a file system and retrieve comprehensive statistics, including: Visual representation of storage space. For example, a tree map can represent a hierarchy of folders and increase the visual size of folders, depending on how much data they hold. A directory listing of storage space, with folders and files sortable by size, extension, number of files, and more. The real-time usage of information being written to a disk.
Shell and Reverse Shell
As well as beaconing and data transfer, adversaries will often want to use a remote access tool/Trojan (RAT) to obtain a shell on the compromised system and run commands. A shell is where the attacker opens a listening port that exposes the command prompt on the local host and connects to that port from a remote host. A reverse shell is where the attacker opens a listening port on the remote host and causes the infected host to connect to it. Traffic received by the infected host is then redirected to the command prompt. A reverse shell is typically used to exploit organizations that have not configured outbound traffic filtering at the firewall.
Anomalous Activity IoCs
As you have seen, analysis of host-based indicators can reveal when a software process is behaving abnormally or maliciously. You will also often need to analyze network applications, such as web applications, databases, DNS services, and remote access servers. When investigating application-specific symptoms of anomalous activity, you will again be making use of logs but also examining per-process ports and resource consumption, as well as user accounts.
Unauthorized Privilege IoC: Off-hours usage
Depending on the normal work period in your organization, seeing an account being used in off hours may indicate an attacker attempting to catch the organization unaware. For example, if your employees work 9:00 a.m. to 5:00 p.m., and the account for one of those employees signs into the virtual private network (VPN) at 3:00 a.m., the account may have been hijacked.
Which network-related potential indicator of compromise has been omitted from the following list? Bandwidth consumption, irregular peer-to-peer communication, rogue device on the network, scan/ sweep, unusual traffic spike, common protocol over non-standard port.
Beaconing
C&C Attack Channel: Domain Name System (DNS)
Because this traffic is not inspected or filtered in most private networks, attackers see an opportunity for their control messages to evade detection. Using this as a C&C channel is effective because the bot doesn't even need to have a direct connection to outside the network. All it needs to do is connect to a local _____ resolver that executes lookups on authoritative servers outside the organization (like those on the Internet), and it can still receive a response with a control message. Attackers send their commands in either request or response queries. This typically makes the queries longer and more complicated than average, which can be used as an indicator for detection. To evade detection when _____ traffic and logging is monitored, attackers break their control messages into several different query chunks so as not to trip sensors that only look at individual transmissions. Another sign of a C&C operation through this is when the same query gets repeated several times; this indicates that the bot is checking into the control server for more orders.
Beaconing Intrusion IoCs
Command and control (C&C or C2) refers to an infrastructure of hosts with which attackers direct, distribute, and control malware. This is made possible primarily through coordinated botnets. After compromising systems and turning them into zombies, the attacker adds these systems to an ever-growing pool of resources. The attacker then issues commands to the resources in this pool. A command can be everything from a simple ping or heartbeat to verify that the bot is still alive in the botnet or the issued command can be more malicious. For example, trying to infect any hosts the bot is connected to in a network.
Non-standard Port Mitigation
Configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces. Unfortunately, this type of policy is difficult to put into practice, as it tends to cause numerous support issues for legitimate applications. Configuration documentation should also show which server ports are allowed on any given host type. This can then be used to create detection rules for non-standard port usage. Detection rules can also be configured to detect mismatched protocol usage over a standard port.
Why are CPU, memory, and disk space consumption IoCs used to identify incidents?
Detailed analysis of processes and file systems is detailed and time-consuming work. Anomalous resource consumption is easier to detect and can be used to prioritize cases for investigation, though there is a substantial risk of numerous false positives.
What type of security information is primarily used to detect unauthorized privilege IoCs?
Detecting this type of IoC usually involves collecting security events in an audit log.
Rogue Device Detection: Wireless monitoring
Discover unknown or unidentifiable service set identifiers (SSIDs) showing up within range of the office.
dir /R
Displays alternate data streams for a file. Attackers can use alternate data streams (ADSs) for anti-forensics purposes, and being able to spot an ADS can help you identify a malicious process that is attached to a legitimate one.
dir /Q
Displays who owns each file, along with the standard information. You can easily verify if a sensitive file has been given ownership to an unknown or malicious entity by using this switch.
Application Log IoC: SSH Access Logs
Each event in an SSH log usually concerns session establishment and termination, including date/ time, username, client IP or port, client software version, connection success or failure, and cryptographic protocol used. Jan 11 03:54:29 lx1 sshd[27224]: Accepted password for centos from 10.1.0.101 port 2454 ssh2 Jan 11 03:54:30 lx1 sshd[27224]: pam_ unix(sshd:session): session opened for user centos by (uid=0)
Rogue Device IoC: Wired and Wireless clients
End-user devices might introduce malware, perform network reconnaissance, or be used for data exfiltration. As well as digital data, you must also consider the risk of recording from cameras and microphones. Another thing to consider is when an authorized device is used in an unauthorized way. For example, a workstation might be used to try to open an SSH or RDP shell on a server or to perform a network scan, or the tethering function of a smartphone might be used as a network bridge. These could be signs of an insider attack or that a device has been stolen.
Application Log IoC: FTP Access Logs
FTP servers log information differently based on the software they run, but many conform to W3C extended log file format. These fields identify client and server in each transaction, as well as provide additional details about the transaction itself, such as usernames, status codes, and bytes transferred.
dir /Ax
Filters all file/folder types that match the given parameter (x). For example, dir /AH displays only hidden files and folders. Malicious files marked as hidden are much easier to find this way rather than looking through every entry, especially if the folder contains hundreds or thousands of files.
Anomalous Activity IoC: Unexpected Outbound Communication
If you suspect the presence of malware or a C&C channel, enumerate the open ports on the host using a tool such as netstat locally or Nmap remotely and compare with activity over the link. The ranges of ports used should match; if they do not, then something is concealing port usage on the host. If there is no use of unusual ports, check the traffic passing over a port using a sniffer to confirm that it is legitimate. For example, just because in the well-known port listing TCP port 25 is used for SMTP does not mean that malware could not be passing C&C traffic over that port instead of SMTP data. Check the destination IP address of communications against IPs and URLs with known reputation risk.
Account and Session Management Tools for Windows
In Windows, local accounts are managed via the Local Users and Groups snap-in. The default Computer Management console contains this, plus consoles for monitoring sessions, shares, and open files. Authentication and authorization events are written to the Security log, but an audit policy must be configured and applied to capture specific events.
Unauthorized Privilege IoC: Guest account usage
In most cases, you should be disabling the guest account on your systems. However, some systems may slip by, so be sure to monitor your log-on events for instances of the guest account. While guest accounts don't have many privileges, they can enable an attacker to log on to a domain that they do not otherwise have access to.
Scan/Sweep Intrusion IoCs
In the first stages of an attack, rogue devices will often be used to perform scans and sweeps to try to find other hosts on the network plus any vulnerabilities that might allow them to be exploited. The term scan can refer specifically to a port scan directed against a single host to enumerate which ports are open and to identify the software and firmware/device type underpinning the host. This is also referred to as fingerprinting. A sweep refers to probing a given port or port range over multiple IP addresses to discover hosts that respond ("alive"). This is sometimes referred to as footprinting.
Data Exfiltration IoC: DNS is widely exploited for exfiltration as well as beaconing and C&C.
Indicators include use of atypical query types from client workstations. Most client requests might be expected to be for host (A or AAAA) name records. A greater frequency of TXT, MX, CNAME, and NULL queries over the Internet may be an IoC. It is also worth monitoring trends in DNS server log growth.
Unauthorized Privilege IoC: New accounts
Instead of attempting to crack an existing account, an attacker may be able to create new accounts in a system. You should already be monitoring account creation carefully, especially in a domain environment where only certain administrators should be able to create them. Although a new standard user account may indicate a compromise, it's new administrator accounts that you need to pay special attention to. An attacker with their own high-level permissions can cause severe damage.
Irregular Peer-to-Peer Communication Intrusion IoCs: ARP Spoofing/Poisoning
Irregular peer-to-peer communication may also indicate various kinds of man-in-the-middle attacks. This is when an attacker redirects an IP address to a MAC address that was not its intended destination. Attackers can execute this spoofing attack by continuously sending requests to update the cache of victim hosts with the erroneous address information. Because ARP will overwrite each record with the latest request, flooding the cache with spoofed requests will make the attack more likely to succeed. To detect ARP poisoning, you can use an IDS such as Snort to identify the suspicious traffic patterns (ARP poisoning generates far more ARP traffic than usual). You can also use arp -a to inspect the local machine's ARP cache and compare the MAC address values to known server machines.
Rogue Device Detection: Visual inspection of ports/switches
It is possible to imagine a sophisticated attack going to great lengths to prevent observation, such as creating fake asset tags.
top
Linux command that creates a scrollable table of every running process and is constantly refreshed so that you see the most up-to-date statistics. The default information provided by the table includes the process ID, user, CPU percentage being used, memory percentage being used, execution time, and more about each process. You can use the following keys to sort the output: • Shift + P to sort by CPU usage. • Shift + M to sort by memory usage. • Shift + T to sort by execution time. • Shift + N to sort by PID.
free
Linux command that outputs a summary of the amount of used and freely available memory on the computer. It retrieves this information from /proc/meminfo and divides information between physical memory and swap memory. The total memory available plus the amount used and unused (free). The amount of memory used by temporary file systems (shared). The amount of memory used by kernel buffers and the page cache. The amount of estimated memory available for new processes, taking into account the page cache.
lsof
Linux command that retrieves a list of all files currently open on the OS. The output can be customized, it typically provides the following for each file: The process ID for the process that has the file open. The owner of the process. The size of the file. The file's local or network address. The file's TCP state, if applicable. The file's access mode.
Account and Session Management Tools for Linux
Linux distributions come with a few built-in session management tools for quick and easy access to this information. In fact, there are three commands that perform approximately the same function, with a few key differences: who, w, and rwho.
Service Interruption IoC: Service Analysis Tools for Linux
Linux processes can be configured to run as daemons (background) at startup by the init daemon or via a task scheduler, such as cron. Startup processes can be listed and monitored using the appropriate control for the init daemon, such as systemctl for systemd. The ps and top commands are used to monitor running processes.
Data Exfiltration IoC: Explicit tunnels such as SSH or VPNs
Look at the endpoints involved, especially their geographic location.
Malicious Process IoCs
Malware code might run within its own process, whether as a foreground process or as a background service. Given adequate security controls, this type of malware can be easy to spot, however, because you can use a baseline to distinguish OS and application processes that should be running from those that should not. In Windows, malware code will often be injected into a host process, typically by making it load the malware code as a dynamic link library (DLL). In the latter case, you need to identify abnormal OS process behavior (or indeed abnormal behavior by an application process, such as the PowerShell or the OneDrive processes). Abnormal behavior might mean that the process makes changes to the Registry, accesses data files and temporary locations on the file system, or uses the network for malicious activity, such as C&C beaconing, connecting to unknown DNS resolvers, transmitting data over covert channels, and so on.
Unauthorized Software IoCs
Malware such as worms, viruses, or trojans. Attack Tools such as Netcat for system users not authorized to use them. Installing legitimate software on systems where they don't belong like a web or DNS server on a workstation.
Service Interruption IoC: Service Analysis Tools for Windows
Malware that installs itself as a service can effectively hide itself from manual detection and may even be able to escape the notice of traditional antimalware scanners. There are some tools that can help you identify suspicious service activity, however. You can view running services in Task Manager, but Windows also comes with a snap-in called Services.msc. This snap-in provides a list of all active services, as well as details of each service, including a description of what it does. It also enables you to start or stop a service. The shell command net start is another way to display all running services on the computer; it lists their names without any further detail. Although these tools can help you identify an unknown or suspicious service running on the computer, they aren't particularly complex. The Get-Service PowerShell cmdlet is another option for service monitoring from the command line or as part of a script.
C&C Attack Channel: Media and Document Files
Media file formats like JPEG, MP3, and MPEG use metadata to describe images, audio, and video. An attacker could embed its control messages inside this metadata, then send the media file to its bots over any number of communication channels that support media sharing. Because monitoring systems do not typically look at media metadata, the attacker may be able to evade detection. Documents using XML-based file formats can be embedded with extraneous or malicious data. This data can hold the attacker's C&C message, and like media metadata, most monitoring systems won't detect them during transmission.
Processor Usage IoC
Monitor per-process percentage of CPU time to show which is causing the problem. Monitoring the real-time CPU usage of running processes is an effective way to compare a computer's execution overhead with another baseline environment. On a Windows host, you can use Task Manager and Performance Monitor to track usage.
PE Explorer (heaventools.com)
Proprietary software that offers a variety of different features, including the ability to browse the structure of 32-bit Windows executable files. The main advantage of this is that you can observe what a program is accessing, like what dynamic-link libraries (DLLs) it calls and how it interfaces with other applications on the system, as well as how it uses application programming interfaces (APIs).
Data Exfiltration IoC: HTTP (or HTTPS) transfers to consumer file sharing sites or unknown domains.
One typical approach is for an adversary to compromise consumer file sharing accounts (OneDrive, Dropbox, or Google Drive for instance) and use them to receive the exfiltrated data. The more the organization allows file sharing with external cloud services, the more channels they open that an attacker can use to exfiltrate critical information. If the data loss systems detect a sensitive file outbound for Dropbox, for example, they may allow it to pass. Those systems won't necessarily be able to discern legitimate from illegitimate use of a single file. So, an attacker doesn't even need to have access to the employees' official Dropbox share—the attacker can open their own share, drop the files in, and then the data is leaked.
Memory Consumption IoC
Overall percentage of memory usage is not necessarily an IoC. Windows is optimized to make as much use of system memory as possible. Per-process use of memory might prove more fruitful, but the usage by a legitimate version can vary quite considerably. You can look up "typical" usage (memory usage and image file size) using an online resource such as shouldiblockit.com. A memory leak, where a process claims more and more memory without releasing it again, can also be a sign of malware (or faulty software that would need to be investigated anyway).
C&C Attack Channel: Social Media Websites
Platforms like these are a way for the attacker to "live off the land," issuing commands through the platforms' messaging functionality or their account profiles. For example, many businesses implicitly trust LinkedIn. An attacker could set up an account and issue commands to bots through the account's profile, using fields like employment status, employment history, status updates, and more. Similarly, there is evidence that a C&C operation used Twitter accounts to post seemingly random hashtags. These hashtags were encoded command strings, and bots would scour Twitter messages for these hashtags to receive their orders (intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center).
Covert Channels
Taking advantage of a lack of egress filtering to transmit data over a nonstandard port. Encoding data in the headers of TCP/IP packets or other non-standard protocol usage, such as DNS TXT records. Chunking data up into multiple packets to be sent at separate times to evade signature analysis and data loss prevention. Obfuscating data by transmitting strings of hex code rather than character strings. Transmitting encrypted data that cannot be inspected as it leaves the network.
Prefetch Files
The absence of _________ files or a period when _________ was disabled would be suspicious (though do note that this is disabled by default on SSDs).
Persistence IoC: Registry Change or Anomaly
The autorun entries in the Registry are often targeted because they're not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. Examine both to reveal any unknown or suspicious values that shouldn't be there. More specifically, these keys are located in: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Your border firewall uses a default allow policy, but you want to block outgoing requests for UPnP. Which port do you need to create a deny rule for?
UDP port 1900.
C&C Attack Channel: HTTP and HTTPS
This protocol is a necessity in almost every organizational network, and blocking these protocols entirely is simply not feasible. Additionally, it's difficult to separate malicious traffic from legitimate traffic, so attackers are finding these web-based protocols more viable channels for C&C. When used in C&C, the attacker embeds commands encoded within _____ to multiple web servers as a way to communicate with its bots. These requests and responses can be encrypted, making analysis of the traffic difficult. One way to mitigate this is to use an intercepting proxy at the network edge. The proxy can decrypt and inspect all traffic, and only re-encrypt and forward legitimate requests and responses.
Mobile Logical Data Extraction
This refers to using utilities supplied with the device or the vendor's tools to export data for analysis. This includes local and cloud backup procedures. It may be possible to obtain data from the cloud account that the device is linked to. This involves making a legal request (subpoena) to the cloud provider. In this scenario, the data may still be encrypted with a key that the provider has no access to. Another means of logical extraction is to use the device's debug interface—such as Android Debug Bridge (ADB)—to retrieve data. A debug interface is mediated by the mobile OS and so cannot be used for file carving of slack space.
Anomalous Activity IoC: Unexpected Output
When an adversary is performing reconnaissance against a web application or database, you are likely to see unusual request patterns, such as repeated requests for the same PHP file using different paths or URLs. You should also scan for code injection strings in HTTP requests. If an adversary has established access, you might detect this by monitoring number of database reads or examining HTTP response packet sizes—an SQL injection attack might be exfiltrating data by causing the server to dump tables in its responses. There may be more straightforward signs that someone is attempting to tamper with an application. The application might display unformatted error messages or strange strings to the user. You (and your end users) should also be alert to man-in-the-browser attacks. In this type of attack, the adversary runs client-side code to add form fields to a legitimate sign-in page. The fields would be used to capture authentication credentials or PII.
Unauthorized Privilege IoC: Failed log-ons
When you check access logs, you'll eventually get used to the sight of failed log-ons. After all, users forget or mistype their passwords all the time. However, repeated failures for one account may suggest more than just benign attempts, especially for administrator accounts. Attackers who brute force password cracking will go through hundreds, maybe thousands, of attempts if there are no failure limits set on the system.
Rogue Device IoC: Wireless access points (WAP)
While there are dedicated pen test rogue WAPs, such as the WiFi Pineapple (shop.hak5.org/products/wifi-pineapple), anyone with access to your network can create a WAP, even from a non-specialized device like a laptop or smartphone. They can intentionally mislead others into connecting to their rogue access point, which then opens the door for a man-in-the-middle attack on unsuspecting users.
Unauthorized Privilege IoC: Unauthorized sessions
You may see certain accounts access devices or services that they should not be authorized to access. For example, a user with limited privileges may be signed in to a domain controller—only administrators should have access to the DC, so this could indicate unauthorized privilege escalation and compromise of the server.
Service Interruption IoC: Failed Application Services
You will normally identify service interruptions through system and application log files or alerts from monitoring apps. When a service does not start or halts, you should consider the following causes (from a cybersecurity perspective): An adversary is preventing security services (such as anti-malware or Windows Update) from running to avoid detection. To maintain access and avoid suspicion, the attacker may only disable the services temporarily and re-enable them once they have performed the covert attack. The process running an authorized service has been compromised by malware. This could make the service unreliable and prone to crashing. A service has been disabled in a DoS/DDoS attack. This is often performed to facilitate some other type of attack, such as disabling a DNS server to compromise name resolution. Excessive bandwidth usage will accompany most service disruption, but this isn't always the case. Attackers can take down servers by gaining control over them, not just by flooding them with network traffic. For example, if your administrators usually tunnel into an application server using Secure Shell (SSH), and now find that their connections are being interrupted or denied, it could indicate that an attacker was able to stop the SSH service on the application server.
C&C Attack Channel: Cloud Services
__________ Companies that supply a wide variety of services, especially infrastructure and platform services, are also at risk of being a C&C vector. For example, attackers used Google's App Engine platform to send C&C messages to bots through a custom application hosted by the service. App Engine is attractive to attackers because it offers free, limited access to the service. Instead of incurring the cost of setting up their own servers, attackers use a cloud company's reliable and scalable infrastructure to support their C&C operations.
Client workstations on a subnet in your network use the following IP configuration: IPv4 Address: 192.168.100.101 Subnet mask: 255.255.255.0 Default gateway: 192.168.100.254 DNS server: 192.168.1.1 You obtain the following list of network connections established by processes on a host in that subnet that you suspect of abnormal activity. Which process is suspicious?
explorer.exe—This process is not using the network's DNS server (192.168.1.1).
