CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Host Based IoCs

  • Malicious Processes

    • Process baseline

    • Scan running processes for malicious code

    • Registry changes

    • Open files

    • Network Traffic

  • High resource usage IoCs

    • What is “high”?

    • Windows

      • Task Manager

      • Process explorer

    • Linux

      • Ps aux

      • Top

      • Htop

    • Mac

      • Activity monitor

    • Shouldiblockit.com

  • Disk and file system IoCs

    • Exfiltration IoCs

    • File system analysis

    • Disk space usage IoCs

      • Du * -sh

    • File handles IoCs

      • Lsof

  • Unauthorized privilege IoCs

    • Unauthorized sessions

    • Failed logins

    • New user accounts

    • Guest account activity

    • Privilege usage outside working hours

    • Security policy integrity

  • Unauthorized software IoCs

    • Detect presence of unknown software

    • Investigate timeline (if possible)

  • Unauthorized changes and hardware IoCs

    • System configuration changes

    • Hardware peripherals

  • Persistence IoCs – Survive reboots

    • Windows Registry

  • Application IoCs

    • Network connections

      • Netstat

      • nmap

    • Outputs and errors

      • logfiles

    • Service defacement

      • Usually defaced website. Very visible.

    • Service interruption

      • Windows

        • Net start

        • Get-service

      • Linux

        • Ps

        • Top

        • Service

        • Systemctl

    • Application Logs IoCs

      • DNS: queries, destinations, anomalies

      • HTTP: 4xx = client error, 5xx = server error, cookies, user-agents

      • FTP: just log everything

      • SSH: Cannot see commands and files. Auth issues, failed attempts

      • SQL: Access attempts, query logs

  • New accounts IoCs

    • Windows: Local vs AD accounts

    • Linux:

      • Active list of users – w command

      • Login history – lastlog

      • User account creation history - /var/log/auth.log

      • Faillog – authentication failures

  • Virtualized Apps IoCs

    • Process and memory analysis

      • Hyupervisor VM introspection tools

      • Suspended VMs

    • Disk and persistent storage

      • VM files inside the VM disk

      • Deleted files

    • System logs

  • Mobile Apps IoCs

    • Block boxes, mostly

    • Bypassing phone security measures

    • JTAG interface

    • Cloud data

    • Carrier Data

PreviousNetwork Based IoCsNextNetwork Architecture and Segmentation

Last updated 2 years ago