Analyzing Application-related IOCs Flashcards
Symptoms of anomalous activity include strange log entries, excessive per-process ports
and resource consumption, and unusual user accounts
Anomalous Activity
Verify any outbound network connections understood and approved
Unexpected Outbound Communication
Unusual request patterns or responses can be indicative of an ongoing
or past attack
Unexpected Output
Occurs when an attacker gains control of a web server and alters the
website’s presentation
Service Defacement
Application services may fail to start or stop unexpectedly for any number of reasons
Service Interruptions
An application interruption caused by a service either failing to start or halting
abruptly
▪ Security services are prevented from running
▪ Process running the service is compromised
▪ Service is disabled by DDoS/DoS
▪ Excessive bandwidth usage is disrupting a service
Failed Application Services
Tools that can help identify suspicious service activity even when antimalware
scanners fail to identify it
Service Analysis Tools for Windows
You can view running services in Task Manager
Services.msc
net start displays all running services on a computer from the command
line
There are also Linux tools available for service analysis
cron
systemctl
The ps and top commands are used to monitor running processes
A task scheduler in Linux that can configure processes to run as
daemons (background processes or services) during the
machine’s startup
cron
Can list and monitor the startup processes using the
appropriate control for the init daemon
systemctl
Most applications can be configured to log events
Application Logs
Contains a log an event each time the DNS server handles a request to convert
between a domain name and an IP address
DNS Event Logs
A log containing HTTP traffic that encountered an error or traffic that matches
some
pre-defined rule set
HTTP Access Logs
Status Codes in the 400 Range
Some web server software logs HTTP header information for both the requests
and responses
Client-based Error Codes