Analyzing Application-related IOCs Flashcards
Symptoms of anomalous activity include strange log entries, excessive per-process ports
and resource consumption, and unusual user accounts
Anomalous Activity
Verify any outbound network connections understood and approved
Unexpected Outbound Communication
Unusual request patterns or responses can be indicative of an ongoing
or past attack
Unexpected Output
Occurs when an attacker gains control of a web server and alters the
website’s presentation
Service Defacement
Application services may fail to start or stop unexpectedly for any number of reasons
Service Interruptions
An application interruption caused by a service either failing to start or halting
abruptly
▪ Security services are prevented from running
▪ Process running the service is compromised
▪ Service is disabled by DDoS/DoS
▪ Excessive bandwidth usage is disrupting a service
Failed Application Services
Tools that can help identify suspicious service activity even when antimalware
scanners fail to identify it
Service Analysis Tools for Windows
You can view running services in Task Manager
Services.msc
net start displays all running services on a computer from the command
line
There are also Linux tools available for service analysis
cron
systemctl
The ps and top commands are used to monitor running processes
A task scheduler in Linux that can configure processes to run as
daemons (background processes or services) during the
machine’s startup
cron
Can list and monitor the startup processes using the
appropriate control for the init daemon
systemctl
Most applications can be configured to log events
Application Logs
Contains a log an event each time the DNS server handles a request to convert
between a domain name and an IP address
DNS Event Logs
A log containing HTTP traffic that encountered an error or traffic that matches
some
pre-defined rule set
HTTP Access Logs
Status Codes in the 400 Range
Some web server software logs HTTP header information for both the requests
and responses
Client-based Error Codes
Identifies the type of application making the request, such as the web browser
version or the client’s operating system
User-Agent Field
An unstandardized type of log that can provide basic client/server session
information
SSH Access Logs
An event/error log that records events with fields like date, time, and the action
taken, such as server startup, individual database startup, database cache
clearing, and databases not starting or shutting down unexpectedly
SQL Event Logs
Creating rogue accounts is a method for an adversary to maintain access
New Accounts
Windows tool that is used for the management of local accounts on a system
Local Users and Groups
Windows tool that is used for the management of accounts on a domain
controller (DC)
Active Directory Users and Computers
Linux command that shows what user accounts are logged in, what
terminal teletypes (TTYs) they have active for each running process, and
what date/time they logged in
who
Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more
w
Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more
w
