Analyzing Host-related IOCs Flashcards
A process executed without proper authorization from the system owner for the
purpose of damaging or compromising the system
Malicious Process
Indicators that a legitimate process has been corrupted with malicious code for
the purpose of damaging or compromising the system
Abnormal Process Behavior
▪ Process Monitor
▪ Process Explorer
▪ tasklist
▪ PE Explorer
Windows Tools
▪ pstree
▪ ps
Linux Tools
A background service in the Linux operating system that runs as a process with
the letter “d” after it (e.g., httpd, sshd, ftpd)
Daemons
The init daemon in Linux that is first executed by the kernel during the boot up
process and always has the process ID (PID) of 1
systemd
A unique identification number of a process launched by a Linux system
Process Identification (PID)
A unique identification number of the parent process for every process launched
by a Linux system
Parent PID (PPID)
A Linux command that provides the parent/child relationship of the processes on
a given system
pstree
Command that lists the attributes of all current processes
▪ The ps command shows only processes started by the current user by
default
The command ps –A or ps -e will provide a full list of all running
processes for all users
ps –C cron - Command to display the process for the cron command
ps –A | sort –k 3Command to display the process sorted by the third
column (execution time)
ps
executes from memory without saving anything to the filesystem
Fileless malware
Techniques that require analysis of the contents of system memory, and of
process behavior, rather than relying on scanning the file system
Fileless Detection Techniques
An open-source memory forensics tool that has many different modules for
analyzing specific elements of memory such as a web browser module, command
prompt history module, and others
The Volatility Framework
Resource consumption is a key indicator of malicious activity, but also occurs with
legitimate software
Consumption
Percentage of CPU time utilized on a per-process level
Processor Usage
Amount of memory utilized on a per-process level
Memory Consumption
Command that outputs a summary of the amount of used and freely available
memory on the computer
free
A command that creates a scrollable table of every running process and is
constantly refreshed so that you see the most up-to-date statistics
top
A means of exploiting a vulnerability in an application to execute arbitrary code or
to crash the process (or with an ongoing memory leak to crash the system)
Memory Overflow
An attack meant to shut down a machine or network that makes it inaccessible to
its intended users
Denial of Service
Malware is still likely to leave metadata on the file system even if it is fileless
Disk and File System
A place where an adversary begins to collect data in preparation for data
exfiltration, such as temporary files and folders, user profile locations, data
masked as logs, alternate data streams (ADS), or in the recycle bin
Staging Areas
Tool that allows you to search the file system for keywords quickly, including
system areas such as the Recycle Bin and NTFS shadow copy and system volume
information
File System Viewers
The Windows dir command has some advanced functionality for file system
analysis
▪ dir /Ax - filters all file/folder types that match the given parameter (x),
such as dir /AH displays only hidden files and folders
▪ dir /Q - displays who owns each file, along with the standard
information
▪ dir /R - displays alternate data streams for a file
Tool that retrieves a list of all files currently open on the OS
lsof
ool that retrieves how much disk space is being used by all
mounted file systems and how much space is available for each
df
Tool that enables you to retrieve how much disk space each
directory is using based on the specified directory - du /var/log
du
Tools used to determine the type of encryption algorithm used and assess the
strength of the encryption key
Cryptographic Analysis Tools
The practice of exploiting flaws in an operating system or other application to
gain a greater level of access than was intended for the user or application
Privilege Escalation
Occurs when certain accounts access devices or services that
they should not be authorized to access
Unauthorized sessions
An attempt to authenticate to the system using the incorrect
username/password combination or other credentials
Failed Log-ons
An attacker may be able to create new accounts in a system
and can be especially dangerous if they create an
administrator account
New Accounts
Guest accounts can enable an attacker to log on to a domain
and begin footprinting the network
Guest Account Usage
An account being used in off hours may indicate an attacker
attempting to catch the organization unaware
Off-hours Usage
A more subtle software-based IoC involves the presence of attack tools on a
system
Unauthorized Software
A file that records the names of applications that have been run, as well as the
date and time, file path, run count, and DLLs used by the executable
Prefetch Files
An application usage cache that is stored in the Registry as the key
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache\AppCompatCach
Shimcache
An application usage cache that is stored as a hive file at
C:\Windows\appcompat\Programs\Amcache.hve
Amcache
Any change that has been made to a configuration file, software profile, or
hardware without proper authorization or undergoing the change management
process
Unauthorized Change
The ability of a threat actor to maintain covert access to a target host or network
Persistence
A hierarchical database that stores low-level settings for the
Microsoft Windows operating system and for the kernel, device drivers, services,
Security Accounts Manager, and the user interface
Registry
A tool that dumps the contents of the registry in a text file with simple formatting
so that you can search specific strings in the file with find
regdump
Initializes its values asynchronously when loading them from the registry
Run
Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
RunOnce
Enables you to create new tasks to run at predefined times
Windows Task Scheduler
Tool that manages cron jobs, the Linux equivalent of scheduled tasks
crontab