Indicators of Compromise
Malicious actors operating covertly within networks, gathering information, and establishing botnets are well-known phenomena. On average, these actors remain undetected for approximately 90 days before discovery. During this period, they execute various activities, including data exfiltration, persistence maintenance, and malware deployment, among potentially other actions.
Although identifying breaches may seem straightforward in theory, it often proves challenging in practice. This is where indicators of compromise (IOCs) become invaluable. They serve as crucial components of digital forensics, signaling potential breaches. IOCs are instrumental for threat hunters and analysts in uncovering malicious activities. These indicators can be obtained through various means, including past incident analyses, open-source intelligence (OSINT), closed-source intelligence (CSINT), or formulated based on hypotheses derived from threat hunting efforts
Let’s look at a few examples…
RDP – Not unusual on any network, and we see that from administrative endpoints to user endpoints. What about from a user to an admin endpoint? It could be the system admin at a user’s desk reaching back for a file or tool, or could it?
Outbound traffic – Tens of thousands of packets an hour. Not at all unusual to see GET requests to web sites. But what about large outbound data to a site like Pastebin?
DNS – Again, another normal protocol to see. In larger organizations you’ll have a DNS server, or it could be the gateway, maybe Google. But what about unusual domains like “gjjei[.]com” or “12.102.56.104[.]kil4dff[.]com”. Maybe an increase in volume of DNS activity, or increased number of failures.
Scripts – Its not unusual to see PowerShell, Bash, or Python scripts running. Suppose you pull Windows system logs and find several Event 4104’s? Looking at the script block shows that PowerShell is executing 7Zip.
File requests – Again, nothing unusual here. How about large numbers of file requests for the same file?
This is a concise list of IOCs and is not intended to be exhaustive. Many modern solutions are capable of identifying a significant portion of these indicators. However, it is important to recognize that threat actors often strive to maintain stealth and employ various techniques to evade detection, such as recompiling malware or employing encryption. Additionally, they may utilize methods like unhooked processes. Vigilance and comprehensive security measures are essential in mitigating these risks.
Just some things to get the mind working! Stay safe, stay alert.