IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [indicator-of-compromise]

12 questions
3
votes
4 answers

Indicator of Compromise effective periods

How long should IOCs be monitored even thou they might be "outdated"? Are there best practices or other reasonings? I would think monitoring IOCs indefinitely is not ideal. Perhaps 90 days would suffice? Example: An IP IOCs will not be effective…
Lester T.
  • 1,263
  • 1
  • 9
  • 21
2
votes
2 answers

What to make of inconsistent TFA/2FA verification emails from AOL

My parents use AOL (there's no point trying to migrate them at this stage) with two factor authentication. My father let me know that he recently received an identity log in verification email that looks suspicious. The resolved client location in…
Will Haley
  • 130
  • 5
2
votes
0 answers

Refurbished Samsung Galaxy Watch - check for compromise

I recently purchased a refurbished Samsung Galaxy Watch off Amazon through a third-party seller. Now, a few hours later, it occurs to me that it is possible that the previous owner could have rooted the device and that the refurbishing process did…
TheHans255
  • 1,268
  • 2
  • 5
  • 13
1
vote
0 answers

How did SolarWinds get hacked? And was the Orion update put out without human approval?

Obviously there is massive information about the SolarWinds Orion hack itself of the malicious DLL injected into the update:…
Ethan Allen
  • 121
  • 3
0
votes
2 answers

Are there Indicators of Attack or Indicators of Compromise (IoA, IoC) or suspicious events specific to stalkerware?

By stalkerware I mean the type of spyware that is typically marketed as a tool to catch a cheating spouse (or similar). I am asking because the motive for this type of attack is somewhat different from other attacks. If the goal of an attacker using…
user266997
0
votes
1 answer

Pornographic image in Wikipedia app

I opened up the Wikipedia app on my iPhone today and saw that the featured article on the main page was on “Henry IV, Holy Roman Emperor”. However, the image displayed for the article was a closeup picture of male genitalia. I was shocked and,…
Daniel Walker
  • 115
  • 6
0
votes
1 answer

Why am I seeing this in /var/log?

I've noticed a lot of weird logs in /var/log on my server. For example: cd /var/log/DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000 sudo cat user.log Jun 30 16:48:08…
Stiofán
  • 101
0
votes
1 answer

How can I add a MISP STIX feed to LogRhythm?

I have a MISP server set up. I then use a REST API endpoint to get a STIX feed from that server. This portion appears to be working fine. I then try to add that STIX feed to LogRhythms Threat Intelligence Service manager. It tells me that it is…
trallgorm
  • 875
  • 7
  • 19
0
votes
0 answers

Logged in with a hacker's email address

I have an active account at ebay-kleinanzeigen.de (like Craigslist in the US). Today I got a valid email from them that my email address was changed. On my mac, I opened up my ebay-kleinanzeigen account in my Chrome browser and was logged in with…
Rich Steinmetz
  • 101
  • 2
0
votes
0 answers

Threat Hunting Observations : Basic Scoring Jupyter Notebook for Running processes on Windows Operating Systems

I am trying to create a scoring Jupyter Notebook created for Windows Processes and I was wondering about what information would I exactly need to generate a basic Score for each process running on a Windows Machine. For the information retrieval I…
Hilo21
  • 33
  • 3
0
votes
2 answers

On urlscan.io Indicators of Compromise, what do the hashes represent?

When I look up a domain of interest on urlscan.io, I see a lot of interesting information. When I click on "Indicators of compromise" (IOC), I see a list of hashes that are actually links to pages full of information that I don't understand. Example…
mcgyver5
  • 6,807
  • 2
  • 24
  • 45
-1
votes
1 answer

Unknown localhost connections: Is this indication of continued compromise of device?

I have a stalker, and six months ago, he got my someone to evil maid my devices with a USB stick that person had borrowed (which then took me three months to discover). This attack appeared to have rootkit'ed my devices with a VM level…
itmc5662
  • 1