Network Based IoCs
Network DoS: exhaust bandwidth/connection resources on a server
Bandwidth consumption, spikes in traffic
Detected using monitoring and alerting
Having a baseline is useful
DDoS: Distributed Denial of Service and botnets
DRDoS (Distributed Reflection DoS)
Spoof the source of the request
Reply goes to the victim
Request is smaller than the reply
HTTP, DNS, NTP
“Slashdotting”
Post a link and drive traffic to a website
Beaconing IoCs
C2 – Command and control
Beaconing looks for regular network traffic to a C2 server.
Regular, like a heartbeat
Small footprint
Changing IPs and Domains
Protocols: IRC, HTTP(S), DNS,
DNScat can create a C2 tunnel through DNS
Social media
Cloud services
Media files and documents
Peer to Peer P2P Communication IoCs
Mostly “unwanted” traffic anyway.
Hidden in SMB or IPP (internet printing protocol)
ARP is peer to peer
ARP flooding is usually spoofing
Rogue Devices IoCs
A rogue device is unaccount for. Unwanted
Detection: Human eyes, network mapping, wireless monitoring, traffic sniffing, NAC and intrusion detection, IP address management
Scans and Sweeps Events
A scan happening without your knowledge is not good news
Sweeping
Fingerprinting
Detected by IDS/IPS due to known patterns
Non standard Port Usage IoCs
Well known ports: 0-1023 TCP/UDP
Registered ports: 1024-49151 TCP/UDP
Dynamic and Private range: 49152-65535 TCP/UDP
Assigned by IANA
Frequent usage of the same dynamic port in a network traffic requires investigation
Mismatched port/application IoC
Netcat, cryptcat, socat, pupy
Data Exfiltration IoCs
Stealing data
HTTP(S) channel with public storage services
Web app attacks (SQLi and such)
DNS as a channel
IM, P2P, email, FTP
Encrypted tunnels (IPsec, SSL)
Covert Channels IoCs
Over vs covert
Outbound traffic is seldom filtered
Encoding data in protocol headers
Fragmentation
Encryption
Steganography
Open Stego
Snow Powershell – Hide data in the whitespace in files
Storage and timing channels
Last updated