Difference between revisions of "Indicators of compromise (IOC)"
Jump to navigation
Jump to search
Tags: Mobile web edit, Mobile edit |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[wikipedia:Indicator of compromise]] | ||
| + | |||
When a threat actor makes changes to a system, either by direct action, malware, or other exploits, forensic artifacts are left behind in the system. IOCs act as bread crumbs for investigators, providing little clues that can help identify the presence of an attack on a system. | When a threat actor makes changes to a system, either by direct action, malware, or other exploits, forensic artifacts are left behind in the system. IOCs act as bread crumbs for investigators, providing little clues that can help identify the presence of an attack on a system. | ||
| Line 5: | Line 7: | ||
A common set: | A common set: | ||
| − | *Unusual outbound network traffic | + | * Unusual outbound network traffic |
| − | *Anomalies in privileged user account activity | + | * Anomalies in privileged user account activity |
| − | *Geographical irregularities in network traffic | + | * Geographical irregularities in network traffic |
| − | *Account login red flags | + | * Account login red flags |
| − | *Increases in database read volumes | + | * Increases in database read volumes |
| − | *HTML response sizes | + | * HTML response sizes |
| − | *Large numbers of requests for the same file | + | * Large numbers of requests for the same file |
| − | *Mismatched port-application traffic, including encrypted traffic on plain ports | + | * Mismatched port-application traffic, including encrypted traffic on plain ports |
| − | *Suspicious registry or system file changes | + | * Suspicious registry or system file changes |
| − | *Unusual DNS | + | * Unusual DNS requests |
| − | *Mobile device profile changes | + | * Unexpected patching of systems |
| − | *Bundles of data in the wrong place | + | * Mobile device profile changes |
| − | *Web traffic with nonhuman behavior | + | * Bundles of data in the wrong place |
| − | *Signs of DDoS activity, even if temporary | + | * Web traffic with nonhuman behavior |
| + | * Signs of DDoS activity, even if temporary | ||
| + | |||
| + | == Related terms == | ||
| + | * [[IOA]] | ||
==See also== | ==See also== | ||
| − | *{{ | + | * {{SOC}} |
| + | * {{CEH}} | ||
| + | |||
| + | [[Category: Security]] | ||
Latest revision as of 06:29, 7 September 2021
wikipedia:Indicator of compromise
When a threat actor makes changes to a system, either by direct action, malware, or other exploits, forensic artifacts are left behind in the system. IOCs act as bread crumbs for investigators, providing little clues that can help identify the presence of an attack on a system.
There are toolsets to aid the investigator in this task. Tools such as YARA.
A common set:
- Unusual outbound network traffic
- Anomalies in privileged user account activity
- Geographical irregularities in network traffic
- Account login red flags
- Increases in database read volumes
- HTML response sizes
- Large numbers of requests for the same file
- Mismatched port-application traffic, including encrypted traffic on plain ports
- Suspicious registry or system file changes
- Unusual DNS requests
- Unexpected patching of systems
- Mobile device profile changes
- Bundles of data in the wrong place
- Web traffic with nonhuman behavior
- Signs of DDoS activity, even if temporary
Related terms[edit]
See also[edit]
Advertising:
