Indicators of compromise

IOCs

Hash values

Hash algorithms compute a message digest of the entire input and output a fixed-length hash that is unique to the given input

If the contents of two files varies even by a single bit, then the hash values of the two files will be entirely different

SHA256, SHA1 and MD5 are the three most common examples of this type of hash

They correspond to specific suspicious or malicious files, are frequently used to provide unique references to a specific sample of malware or to files involved in an intrusion

Hash values of known malware or files involved in an intrusion can be used by threat hunters to proactively block them or to detect the presence of them in the environment

The reason IOCs are at the widest part of the Pyramid is because there are way too many of them. These are trivial to the adversaries as they can easily make a change to the file and that result is a completely different and an unrelated hash value

IP addresses

IP addresses are considered the most fundamental indicator as an adversary must have a network connection in order to carry out an attack, and a connection means adversary IP addresses associated with the attack

Threat hunters can leverage IP addresses related to an attack to proactively block them or to detect the presence of them in the environment and take appropriate response actions

The reason they are easy for adversaries to handle is because any reasonably advanced adversary can change IP addresses as needed with very little effort

In some cases, where adversaries leverage an anonymous proxy services like Tor, they may change IPs quite frequently and never even notice or care

That's why IP addresses are green in the pyramid. If you deny the adversary the use of one of their IPs, they can usually recover without breaking stride

Domain names

This could be either a domain name itself (e.g., "evil.net"), a subdomain, or even lower-level domains (e.g., "this.is.soo.evil.net")

Domain names are a step higher on the pyramid, but they are still green (though lighter), meaning they are still simple for adversaries to handle

Domains names are used by attackers for phishing campaigns, hosting malicious content, etc. These can be used by threat hunters to proactively block phishing campaigns or identify whether they are experiencing or have experienced one

These are slightly more of a pain than IP addresses for adversaries to handle because they must be registered, paid for and hosted

That said, there are many DNS providers with lax registration standards (many of them free), so in practice, it's not too hard to change domains

New domains may take anywhere from up to a day or two to be visible throughout the Internet, so these are slightly harder to change than just IP addresses

Network/host artifacts

Network and host artifacts are right in the middle of the Pyramid, where we get into the yellow zone. I.e., adversaries are forced to spend some effort figuring out how their attack was detected and updating their tools

Network artifacts are any observable caused by adversary activities on a network - specifically, activity that tends to distinguish malicious activity from that of legitimate users

Information about these artifacts can be leveraged to proactively detect and respond to attacks. This is the level on the Pyramid where some negative impact on the adversary because the attacker must go back and reconfigure and/or recompile their tools

Examples

  • URI patterns

  • C2 information embedded in network protocols

  • Distinctive HTTP User-Agent

  • SMTP Mailer values

Hunters can use various tools to identify network artifacts:

  • Session recording

    • Windows: TDIMon records incoming and outgoing sessions

    • Linux/Unix: Argus records network flow data

  • Packet capture

    • Windows: Windump, Wireshark and Ethereal

    • Linux/Unix: Tcpdump, Ethereal and Wireshark

  • Network state monitoring

    • Windows: Tcpvcon, Netstat and Fport

    • Linux/Unix: lsof and Netstat

Host artifacts

Host artifacts are also right in the middle of the Pyramid, where we get into the yellow zone. I.e., adversaries are forced to spend some effort to figure out how their attack is detected and update their tools

A host artifact is an observable caused by adversary activities on one or more of your hosts. The focus is on things that would tend to distinguish malicious activities from legitimate ones

  • Information about these artifacts can be leveraged to proactively detect and respond to an attack

  • This is the level on the Pyramid where there is some negative impact on the adversary. The attacker has to go back to their lab and reconfigure and/or recompile their tools

  • A great example would be when you find that the attacker's HTTP recon tool uses a distinctive User-Agent string when searching your web content. If you block any requests which present this User-Agent, you force them to go back and spend some time:

    • figuring out how you detected their recon tool and

    • fixing it

Examples

  • Registry keys

  • Files or directories dropped in certain places or using certain names

  • Malicious Services

The Windows registry stores a variety of system configuration information

  • Run-time configuration

  • Time zone information

  • TCP/IP configuration

  • Installed software

Malware modifies registry keys to achieve persistence, altering how certain programs run or even disabling others

RegMon and RegShot can perform real-time registry monitoring and create before/after snapshot comparisons. They are used as part of malware analysis to identify

PreviousIOCs and IOAsNextTactics, techniques and procedures (TTPs)

Last updated