Indicators of Compromise List and Recommended Security Measures

by Ajit Gaddam on April 13, 2012

Unlike loss of a physical device, if an attacker breaks into your corporate network, you still have your data after they steal it. It is more important that ever to detect if your company has been broken into by a hacker. This article identifies a number of indicators of compromise activity on a corporate network. It is not an exhaustive list and I will keep adding to this list along with any recommended security measures you can take to detect and prevent activity that could lead to a compromise of your network by attackers.

Logging: When you log, you can detect and identify any unusual activity on your network and on the end points.

  • Look for logfile line count and log file line length. Have an average baseline of our log file size at a minimum and then trigger alerts when the log size increases or even worse decrease of events that day.
  • Look for spikes in traffic types (e.g. SSH, FTP, DNS) and baseline the number of events including bandwidth usage
  • Look for country of origin of IP connection (or by protocol)

Endpoint

  • Scan for the software/tools listed in “List of Publicly Available Tools used for Attacks” below. These include scanning for non-malicious network utilities like SysInternals and PsTools that are not rated as malicious by AV and others, but good tools for use by an attacker.
  • Scan for RDP Sessions in HKCV\Software\Microsoft\Windows\Shell\BagMRU and related keys
  • Scan for remote access services – VNC, RDP
  • Scan for remote access ports (TCP 3389, RDP or VNC)
  • Scan for batch files and scripts
  • Scan for multiple archive files – ZIPs and RARs including encrypted compressed files
  • Scan for rar/zip file compression in page files and unallocated spaces
  • Scan for programs run in the AppCompatCache
  • Scan for sysadmin tools executed such as tlist.exe, local.exe, kill.exe
  • Scan for files in the root of C:\RECYCLER
  • Scan for anomalies like abnormal source location or logon time (for example after say 7pm EST) and other time-of-use rules and baselines

Below are items that could indicate compromise or could indicate potential malicious activity on your network.

Network Inbound

Network Lateral

  • Detect fingerprinting of devices (so take out any authorized crawlers and put them in an exception group) but alert on any other device/asset polling the other assets in the network internally (bot, worm or someone crawling through your internal network)
  • Check Windows event logs for lateral movement across the network using native Windows commands net view and net use

Network Outbound

  • Detect endpoint attempts to access a website URL using IP address rather than using a FQDN. Think how many users in your network type in 173.194.73.106 for www.google.com in their web browser?
  • Detect endpoint attempts to access a non-routable IP address
  • Detect endpoint attempts to access the internet via non-proxied ports in an enterprise
  • Monitor increase in encrypted data outbound whether it is traffic over 443 or encrypted emails outbound. Also monitor for non-SSL traffic going to port 443
  • Monitor outbound communication via odd ports, protocols, and services (engress filtering)
  • Detect for ZIP, RAR or CAB formatted files outbound. These can be identified via their headers.

List of Publicly Available Tools used for Attacks

A number of publicly and freely available tools on used by attackers to target your network and to steal data from your company. Sometimes these are custom tools and others are legitimate tools employed by your system administrators and may not stand out as suspicious.  A list of such tools including some sourced from the Mandiant M-Trends Report.

Tool Name

Type

Description

ASPXSpy

Remote Access

Can perform remote command execution, upload/download files, interact with SQL databases, query registry keys, perform port scans

Gh0st RAT

Remote Access

Backdoor with a graphical client builder and server

Poison Ivy

Remote Access

Backdoor with comprehensive remote access capabilities on a compromised system. Has a graphical mgmt. interface

Radmin

Remote Access

Popular remote administration tool

Xdoor

Remote Access

Backdoor with key logging functionality, audio/video capture, file transfers, HTTP proxy, system information retrieval, reverse command shell, DLL injection and command execution

ZXshell

Remote Access

Backdoor includes key logging, file transferring, SYN floods, can launch processes, steal credentials and disable local firewalls

Cachedump

Privilege Escalation

Obtains password hashes for domain logins that are cached in the Windows registry

GetHashes

Privilege Escalation

Obtains password hashes from the SAM file

Gsecdump

Privilege Escalation

Obtains password hashes from Windows registry, SAM file, cached domain credentials and LSA secrets

Hookmsgina

Privilege Escalation

Hooks into the MS GINA (msgina.dll) and dumps the username, password, domain to a file

Incognito

Privilege Escalation

Performs Windows access token manipulation

Pass-the-Hash toolkit

Privilege Escalation

Accesses hashes of users who have interactively logged into a system and allows an attacker to impersonate those users by using those hashes to other systems

Pwdump

Privilege Escalation

Obtains password hashes from the SAM file. Many of the password dumping tools are variants of Pwdump

Windows Credential Editor (WCE)

Privilege Escalation

Can grab current sessions, modify credentials, and perform pass-the-hash

Htran

Port director

Can take incoming traffic on one port and send it to a specified IP and port on another system

PsTools

Lateral movement

Ability to remotely invoke executable file across a network. Part of SysInternals tools (esp PsLoggedOn, PsExec, PsService, PsInfo)

Similar Posts:

Previous post: