Site Overlay

Indicators of Compromise List and Recommended Security Measures

Unlike loss of a physical device, if an attacker breaks into your corporate network, you still have your data after they steal it. It is more important that ever to detect if your company has been broken into by a hacker. This article identifies a number of indicators of compromise activity on a corporate network. It is not an exhaustive list and I will keep adding to this list along with any recommended security measures you can take to detect and prevent activity that could lead to a compromise of your network by attackers.

Logging: When you log, you can detect and identify any unusual activity on your network and on the end points.

  • Look for logfile line count and log file line length. Have an average baseline of our log file size at a minimum and then trigger alerts when the log size increases or even worse decrease of events that day.
  • Look for spikes in traffic types (e.g. SSH, FTP, DNS) and baseline the number of events including bandwidth usage
  • Look for country of origin of IP connection (or by protocol)


  • Scan for the software/tools listed in “List of Publicly Available Tools used for Attacks” below. These include scanning for non-malicious network utilities like SysInternals and PsTools that are not rated as malicious by AV and others, but good tools for use by an attacker.
  • Scan for RDP Sessions in HKCV\Software\Microsoft\Windows\Shell\BagMRU and related keys
  • Scan for remote access services – VNC, RDP
  • Scan for remote access ports (TCP 3389, RDP or VNC)
  • Scan for batch files and scripts
  • Scan for multiple archive files – ZIPs and RARs including encrypted compressed files
  • Scan for rar/zip file compression in page files and unallocated spaces
  • Scan for programs run in the AppCompatCache
  • Scan for sysadmin tools executed such as tlist.exe, local.exe, kill.exe
  • Scan for files in the root of C:\RECYCLER
  • Scan for anomalies like abnormal source location or logon time (for example after say 7pm EST) and other time-of-use rules and baselines

Below are items that could indicate compromise or could indicate potential malicious activity on your network.

Network Inbound

Network Lateral

  • Detect fingerprinting of devices (so take out any authorized crawlers and put them in an exception group) but alert on any other device/asset polling the other assets in the network internally (bot, worm or someone crawling through your internal network)
  • Check Windows event logs for lateral movement across the network using native Windows commands net view and net use

Network Outbound

  • Detect endpoint attempts to access a website URL using IP address rather than using a FQDN. Think how many users in your network type in for in their web browser?
  • Detect endpoint attempts to access a non-routable IP address
  • Detect endpoint attempts to access the internet via non-proxied ports in an enterprise
  • Monitor increase in encrypted data outbound whether it is traffic over 443 or encrypted emails outbound. Also monitor for non-SSL traffic going to port 443
  • Monitor outbound communication via odd ports, protocols, and services (engress filtering)
  • Detect for ZIP, RAR or CAB formatted files outbound. These can be identified via their headers.

List of Publicly Available Tools used for Attacks

A number of publicly and freely available tools on used by attackers to target your network and to steal data from your company. Sometimes these are custom tools and others are legitimate tools employed by your system administrators and may not stand out as suspicious.  A list of such tools including some sourced from the Mandiant M-Trends Report.

Tool Name




Remote Access

Can perform remote command execution, upload/download files, interact with SQL databases, query registry keys, perform port scans

Gh0st RAT

Remote Access

Backdoor with a graphical client builder and server

Poison Ivy

Remote Access

Backdoor with comprehensive remote access capabilities on a compromised system. Has a graphical mgmt. interface


Remote Access

Popular remote administration tool


Remote Access

Backdoor with key logging functionality, audio/video capture, file transfers, HTTP proxy, system information retrieval, reverse command shell, DLL injection and command execution


Remote Access

Backdoor includes key logging, file transferring, SYN floods, can launch processes, steal credentials and disable local firewalls


Privilege Escalation

Obtains password hashes for domain logins that are cached in the Windows registry


Privilege Escalation

Obtains password hashes from the SAM file


Privilege Escalation

Obtains password hashes from Windows registry, SAM file, cached domain credentials and LSA secrets


Privilege Escalation

Hooks into the MS GINA (msgina.dll) and dumps the username, password, domain to a file


Privilege Escalation

Performs Windows access token manipulation

Pass-the-Hash toolkit

Privilege Escalation

Accesses hashes of users who have interactively logged into a system and allows an attacker to impersonate those users by using those hashes to other systems


Privilege Escalation

Obtains password hashes from the SAM file. Many of the password dumping tools are variants of Pwdump

Windows Credential Editor (WCE)

Privilege Escalation

Can grab current sessions, modify credentials, and perform pass-the-hash


Port director

Can take incoming traffic on one port and send it to a specified IP and port on another system


Lateral movement

Ability to remotely invoke executable file across a network. Part of SysInternals tools (esp PsLoggedOn, PsExec, PsService, PsInfo)

Similar Posts:

Published By:

Author: Ajit Gaddam

Ajit Gaddam is an accomplished technology executive and is currently the Head of Security Engineering at Visa, where he is responsible for building large scale AI driven cybersecurity products, leading engineering programs, and providing expert guidance on cybersecurity matters. He has presented at conferences worldwide, including USENIX Enigma, RSA, Black Hat, Strata Data Hadoop, COSO Dublin, and GCS Ukraine. Ajit has been quoted by major media organizations and his work has been showcased in academic journals, security publications, and in two published books. He is an active participant in various open source and standards bodies, is a prolific inventor of disruptive technologies (over 100+ global patents), and moonlights as an instructor (SANS, community colleges).

5 thoughts on “Indicators of Compromise List and Recommended Security Measures

  1. The best in class, Depoxito present you high-end experience that take in hand the look and setting of legitimate VIP standarts, we provide you
    the best attractive to high-level experience of VIPs expect in any summit end casino, grand sentient casino royale have the funds for you the new studio design element
    including the grand blackjack, offering our VIP Customer the
    best experience of a Salon privee table.
    New style table also feature across the room as soon as grand roulette upgraded on our provider playtechs mini prestige roulette which delivering more
    interesting and richer playing experience. The extra experience contains a total of seven tables including five blackjack tables, one roulette table and one
    baccarat table. Grand breathing casino royale has been tall hand-engineered to fit the
    needs of our customer to using it, and contains unique elements that is
    specially designed to maximize the impact value we got from our customers and diversify
    it to the existing network.
    Soon, Depoxito will build an improved authenticity technology on stimulate casino for our VIP member, these most liberal technology
    ever seen in stimulate casino including this augmented
    reality. Which allow players to experience products upon an entire further
    level which is never seen before literally leaping out of the game
    and taking the blackjack, baccarat, roulette and additional game into the amass entire level.

    Depoxito VIP Baccarat, we find the money for you
    the unconditionally exclusive bring to life VIP Baccarat that is played with occurring to 7 players at the similar table and our severely trained beautiful conscious baccarat dealer.

    And of course our VIP fanatic will vibes as if they were
    truly sitting at one of the summit casino baccarat table.
    This immersive gaming experience creates a hugely exciting broadcast that our VIP players will
    find difficult to surpass.
    Here is the list of bring to life casino game that
    depoxito provide, we come up with the money for the widest range of conscious casino games upon the publicize including : blackjack unlimited,
    blackjack prestige, roulette, baccarat, poker, hi-lo, sic bo, and grand rouse casino royale such
    as Grand Baccarat, Grand Blackjack and Grand Roulette for our VIP
    member. And of course as a member of Depoxito you can enjoy every
    the games that we come up with the money for to you, all you obsession to complete is just visit our site depoxito and register it single-handedly takes stirring to 3
    minutes and next youre satisfactory to acquit yourself any game
    that you want.
    Be our VIP, being our VIP supporter of course arranged you the best relieve you can acquire from us every you
    dependence to be a VIP supporter is categorically easy.
    all you dependence is just keep playing on our site, lump and doing
    following a VIP with the amount that our company had written,
    save playing and our customer foster will retrieve you that you are promoted to become a VIP devotee upon our site.

  2. It’s truly very complex in this active life to listen news on TV, so I just use internet for
    that reason, and obtain the latest information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll Up