adam's notes

Malicious Activity Indicators

Sandbox Execution

  • If malicious activity is not detected by endpoint protection,
    • analyze the suspect code or host in a sandboxed environment
  • sandbox will be designed to record file system and registry changes plus network activity
  • a sheep dip is an isolated host used to test new software and removable media for malware indicators before it is authorized on the production network

Resource Consumption

Resource consumption is a potential indicator of malicious activity where CPU, memory, storage, and/or network usage deviates from expected norms.

  • detected using a performance monitor
  • only poorly written malware, or malware that performs intensive operations exhibit this indicator

File System

  • malicious code is likely to interact with the file system and registry
  • can analyze file metadata for indicators
    • can help establish timeline of events
  • check for suspicious temporary files
  • Attempts to access valuable data can be revealed by blocked content indicators
    • access denied message will be logged if a user account attempts to read or modify a file it does not have permission to access
    • if ACL and audit logging are enabled
  • information may be protected by DLP

Resource Inaccessibility

Resource inaccessibility A potential indicator of malicious activity where a file or service resource that should be available is inaccessible.

  • indicator of a denial of service (DoS) attack
  • network attack will often create large numbers of connections
  • Data resources might be subject to ransomware attack
  • malware might disable scanning and monitoring utilities to evade detection

Account Compromise

  • indicators that reveal suspicious account behavior:
    • Account lockout
      • the system has prevented access to the account because too many failed authentication attempts have been made
      • could also mean that the user’s password no longer works because the threat actor has changed it
    • Concurrent session usage
      • indicator of malicious activity where an account has started multiple sessions on one or more hosts
    • Impossible travel
      • indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe
      • would not have physically been able to move to in the time since their last sign in

Logging

  • A threat actor will often try to cover their tracks by removing indicators from log files:
    • Missing logs
      • indicator of malicious activity where events or log files are deleted or tampered with
      • easy to detect, so a more sophisticated threat actor will remove log entries
        • might be indicated by unusual gaps between log entry times
      • may spoof log entries to conceal the malicious activity
    • Out-of-cycle logging
      • potential indicator of malicious activity where event dates or timestamps are not consistent

Graph View

Backlinks