IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ioc]

IoC (indicator of compromise), an observation during a forensic investigation that indicates that an intrusion probably took place

An indicator of compromise (IoC) on a computer system is an observation that indicates that it is likely that an intrusion took place. This can be, for example, a signature of known malware, a network access to a control server, etc.

15 questions
4
votes
2 answers

IoCs of Pegasus spyware penetration

What are the indicators of compromise (IoCs) that indicate methods used by the Pegasus spyware on mobile phones? How is penetration still possible when the latest and up-to-date OS of the phone is used?
HadidAli
  • 560
  • 3
  • 10
3
votes
0 answers

Essential / popular TAXII feeds

TAXII feeds are a great addition to a monitoring solution such as a SIEM. However, to my knowledge, there are only three distinct openly available providers: Hail A TAXII OTX Limo What other threat feeds based on TAXII/STIX are available?
Elhitch
  • 403
  • 3
  • 11
3
votes
4 answers

Indicator of Compromise effective periods

How long should IOCs be monitored even thou they might be "outdated"? Are there best practices or other reasonings? I would think monitoring IOCs indefinitely is not ideal. Perhaps 90 days would suffice? Example: An IP IOCs will not be effective…
Lester T.
  • 1,263
  • 1
  • 9
  • 21
2
votes
1 answer

sandboxing IoCs and signatures

Sandboxes are used for automated extraction of indicators of compromise (IoCs) that can be used to write signatures. Can this signature then be used, for example, on an IPS system to block certain actions?
blabla_trace
  • 236
  • 1
  • 9
2
votes
1 answer

What is an indicator of compromise?

I'm struggling to understand what is an indicator of compromise. I found different definitions on the web but I still don't know. The definitions I found are: 1 - Something (file, network connection) that indicates a system has been compromised. 2…
John kazaz
  • 21
  • 3
1
vote
2 answers

Enpoint protection: How to search an organisation for hash value

As part of incident response to malicious code outbreak and given the hash value of the malicious artifact, I would like to search across the entire organization for this specific hash value. Do you know of best practices or solutions that implement…
user1192748
  • 273
  • 1
  • 8
1
vote
2 answers

How to respond to Indicators of Compromise?

We've received frequent emails from our Threat Intelligence Group with IoCs artifacts, such as file names, hashes, domains/urls. They request us to do preventive measures for the given attributes. However, I find it very hard to follow their…
sanba06c
  • 103
  • 9
1
vote
0 answers

Finding a mimikatz file on a compromised host?

So I am currently struggling with a cyber security lab, and after searching various online sources and reading documentation I can't find a solution. The 2 tasks are as follows: "The attacker has deployed the Mimikatz tool to attempt to capture…
Ismaeel Ali
  • 21
  • 5
1
vote
1 answer

When to model a concept via object vs taxonomy vs galaxy in MISP?

Taxonomies in MISP are a triple of (namespace, predicate, value) referred to as "machinetags". Galaxies seem to be similar. The MISP galaxy docs state that MISP galaxy is a simple method to express a large object called cluster that can be…
turtlemonvh
  • 111
  • 5
1
vote
1 answer

Indicator of Compromise - Mozilla Firefox - Malware Redirect

I am having a strange issue where dragging and dropping an email onto a Mozilla Firefox window redirects the first tab to one of several websites, and the second tab opens with some text from the message in the address bar. Been able to repeat this…
skrap3e
  • 175
  • 7
1
vote
0 answers

RegistryItem IndicatorItems in OpenIOC - what levels are required

I have seen people specify RegistryItem/KeyPath, RegistryItem/ValueName, RegistryItem/Value to fully specify the value of a registry entry, and others just use RegistryItem/Path, RegistryItem/Text How do I know the proper way of creating this XML…
Scott C Wilson
  • 543
  • 3
  • 11
0
votes
0 answers

OpenIOC terms and attributes

How to map URL IOCs in the OpenIOC domain? I thought Network/URI would be the more appropriate term but then I saw an open source project mapping from Network/URI in OpenIOC to URI in MISP and from Network/String in OpenIOC to URL in MISP, I'm not…
Alessandro M.
  • 1
0
votes
2 answers

How do I list IP addresses a system is connecting to from its memory dump or OS image (obtained from FTK Imager)?

I'm looking for a tool that will enumerate the IP addresses that a system is connecting to. This is mainly for forensic purposes, to gather IOCs. I know we can run a netstat on windows, but would like something that is comprehensive and reports all…
Anup Michael Salve
  • 1
  • 1
  • 2
-1
votes
1 answer

indicators of compromise via email servers

Malicious files are commonly infiltrated on to the network via email attachments. Besides awareness and education to my staff to refrain from clicking on suspicious attachments, I would also like to improve the security posture via technology. Are…
Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
-1
votes
1 answer

How to read command line argument for potential issue

I have a IOC that has a command line argument that looks like this below. Wanted to see if someone could help me parse it out a little bit to understand what is happening. C:\Windows\System32\mshta.exe…
rschapman
  • 3
  • 2