Host Based IoCs
Malicious Processes
Process baseline
Scan running processes for malicious code
Registry changes
Open files
Network Traffic
High resource usage IoCs
What is “high”?
Windows
Task Manager
Process explorer
Linux
Ps aux
Top
Htop
Mac
Activity monitor
Shouldiblockit.com
Disk and file system IoCs
Exfiltration IoCs
File system analysis
Disk space usage IoCs
Du * -sh
File handles IoCs
Lsof
Unauthorized privilege IoCs
Unauthorized sessions
Failed logins
New user accounts
Guest account activity
Privilege usage outside working hours
Security policy integrity
Unauthorized software IoCs
Detect presence of unknown software
Investigate timeline (if possible)
Unauthorized changes and hardware IoCs
System configuration changes
Hardware peripherals
Persistence IoCs – Survive reboots
Windows Registry
Application IoCs
Network connections
Netstat
nmap
Outputs and errors
logfiles
Service defacement
Usually defaced website. Very visible.
Service interruption
Windows
Net start
Get-service
Linux
Ps
Top
Service
Systemctl
Application Logs IoCs
DNS: queries, destinations, anomalies
HTTP: 4xx = client error, 5xx = server error, cookies, user-agents
FTP: just log everything
SSH: Cannot see commands and files. Auth issues, failed attempts
SQL: Access attempts, query logs
New accounts IoCs
Windows: Local vs AD accounts
Linux:
Active list of users – w command
Login history – lastlog
User account creation history - /var/log/auth.log
Faillog – authentication failures
Virtualized Apps IoCs
Process and memory analysis
Hyupervisor VM introspection tools
Suspended VMs
Disk and persistent storage
VM files inside the VM disk
Deleted files
System logs
Mobile Apps IoCs
Block boxes, mostly
Bypassing phone security measures
JTAG interface
Cloud data
Carrier Data
Last updated