Analyzing Network IoCs

Question 1

An IP address making regular outbound connections to a known malicious domain.

Answer 1

Command and Control (C2) indicator

Question 2

Multiple DNS requests for domains with random-looking strings.

Answer 2

DGA (Domain Generation Algorithm) activity

Question 3

A file hash observed in network traffic that matches a known malware sample.

Answer 3

Malicious file IOC

Question 4

Repeated TCP SYN packets sent to sequential ports on the same host.

Answer 4

Port scan behavior

Question 5

An HTTPS connection to a rare or previously unseen IP during off-hours.

Answer 5

Suspicious outbound connection

Question 6

An internal host trying to connect to external SMTP or FTP servers.

Answer 6

Data exfiltration attempt

Question 7

The same hash being seen in logs across multiple endpoints.

Answer 7

Lateral propagation

Question 8

Repeated 401/403 HTTP responses in web traffic logs.

Answer 8

Unauthorized access attempts

Question 9

Abnormal volume of DNS queries from a single endpoint.

Answer 9

Beaconing indicator

Question 10

Use of DNS or ICMP traffic for outbound data transmission.

Answer 10

Covert channel

Question 11

Web traffic from a system to an IP address that doesn’t resolve through DNS.

Answer 11

Hardcoded IP usage

Question 12

A single internal host communicating with multiple foreign IP addresses.

Answer 12

Botnet behavior

Question 13

Unusual HTTP user-agent strings in outbound requests.

Answer 13

Malware calling home

Question 14

Detection of TOR traffic or anonymizing proxy use.

Answer 14

Obfuscation indicator

Question 15

A sudden spike in outbound connections from one host.

Answer 15

Potential exfiltration or scanning

Question 16

Network alerts from known blacklisted domains or IPs.

Answer 16

Threat intel match

Question 17

A series of failed connection attempts followed by one successful connection.

Answer 17

Brute-force indication

Question 18

A non-DNS service communicating over port 53.

Answer 18

DNS tunneling

Question 19

Network pattern showing consistent traffic every 60 seconds to the same IP.

Answer 19

Beaconing pattern

Question 20

Traffic pattern suggesting spread to other systems within the same subnet.

Answer 20

Lateral movement

Question 21

Network flow logs showing large outbound traffic over non-standard ports.

Answer 21

Anomalous port usage

Question 22

High volume of HTTP POST requests to a suspicious domain.

Answer 22

Data drop-off point

Question 23

A new executable downloaded from an external IP via HTTP.

Answer 23

Payload delivery

Question 24

NetFlow showing unexpected traffic between VLANs.

Answer 24

Internal reconnaissance

Question 25

Alerts showing unusual connection times from user devices.

Answer 25

Behavior anomaly

Question 26

Observed traffic using unusual protocols or protocol mismatches.

Answer 26

Protocol abuse

Question 27

Packet captures showing encrypted traffic where plaintext is expected.

Answer 27

Suspicious encryption use

Question 28

An increase in ICMP echo requests from a non-administrative system.

Answer 28

Network scanning attempt

Question 29

SIEM correlation showing similar traffic from multiple infected hosts.

Answer 29

Coordinated attack

Question 30

Identifying IOCs by comparing live traffic to threat intelligence feeds.

Answer 30

IOC correlation