5C. Analyse Host-related IoCs Flashcards
Malicious processes (to monitor/be aware of)
- process baseline (to detect deviations)
- scan running processes for malicious code
- registry changes (unexpected changes/access)
- open files (Linux ‘lsof’ command)
- network traffic
- high resource usage
Fileness malware
malware code that executes without having to be launched from an .exe file saved somewhere on the file system. Fileless detection require analysis of the contents of system memory and process behaviour.
Disk and File System IoCs
- excessive log information (e.g., due to brute force attempt, downloading content)
- use of temp file/folders, user profile locations, data masked as log file, alternate data streams, recycle bin usage
Data staging and detection technique
the process of preparing and organising data for exfiltration from a target system or network. To detect, scan host file systems for file archive, compression, and encryption (e.g., RAR), look for files in system folders.
File system viewers
- Tool that allows you to search the file system for keywords quickly e.g., system areas such as the Recycle Bin and NTFS shadow copy
- analysing file metadata allows for the reconstruction of a timeline of events
Linux File System analysis tool
- lsof (displays currently opened files)
- df (displays disk space being used)
- du (display how much disk space each directory is using)
Windows File System analysis tool
- dir /Ax (filters all files/folder types that match the given parameter (x) (e.g., /AH displays only hidden files/folders)
- dir /Q (displays owner of each file)
- dir /R (displays alternate streams for a file)
Unauthorised privilege IoCs
- unauthorised sessions
- failed logins
- new user accounts showing up
- guest account activity
- privilege usage outside of working hrs
- security policy integrity (changes being made to)
Unauthorised Software IoCs
- presence of unknown software (or unexpected security tools or DNS servers installed on host)
- absence or disabling of prefetch files
Prefetch files are…
files that record the names of applications that have been run plus other information (date and time, file path, run count, and DLLs used by the executable)
Unauthorised Change/Hardware IoCs
- system config changes
- hardware peripherals that have been attached to host
- application behaviour changes (e.g., attacker may open ports, start services, directory exclusion to scanning software)
Persistence IoCs
- Registry changes (e.g., Outrun items, Services, File associations, Scheduled tasks)
- startup tasks
- Hidden files/directories (where malware/data may be stored)
- Boot sector malware
- Rootkits
