Creation & Usage Of IOCs

1. Understanding IOCs and Their Importance

Purpose: To define and document indicators of compromise (IOCs) that represent artifacts of a security incident.

  • Why: IOCs are critical for detecting malicious activity, correlating events, and guiding the investigation process. They provide a structured way to identify and respond to threats.

  • Examples of IOCs:

    • IP Addresses: 192.168.1.100

    • File Hashes: MD5: abc123, SHA256: def456

    • File Names: malicious_tool.exe

    • Domain Names: malicious-domain.com

2. Documenting IOCs Using Standards

Purpose: To standardize the creation and sharing of IOCs for consistency and interoperability.

  • Why: Standardized formats like OpenIOC and Yara enable organizations to share IOCs across teams and with third parties effectively.

  • Technical Example:

    • Create an IOC Using OpenIOC:

      • Use tools like Mandiant's IOC Editor to create structured IOCs:

        <IndicatorItem condition="is" id="1234">
  <Context document="FileItem" search="FileItem/MD5sum"/>
  <Content type="md5">abc123</Content>
</IndicatorItem>

    • Write a Yara Rule:

      • Define a Yara rule to detect malicious files:

        rule MaliciousTool {
    meta:
        description = "Detects malicious_tool.exe"
        author = "Security Team"
    strings:
        $file_name = "malicious_tool.exe"
        $hex_pattern = {DE AD BE EF}
    condition:
        $file_name or $hex_pattern
}

3. Deploying IOC-Searching Tools

Purpose: To search for IOCs across systems and logs to identify compromised assets.

  • Why: Leveraging tools to scan for IOCs at scale ensures comprehensive coverage and accelerates the investigation process.

  • Technical Example:

    • Search for IOCs Using PowerShell:

      • Query Windows Event Logs for specific IOCs:

        Get-WinEvent -LogName "Security" | Where-Object { $_.Message -match "malicious_tool.exe" }

      • Search for file hashes on endpoints:

        Get-ChildItem -Recurse | Get-FileHash -Algorithm SHA256 | Where-Object { $_.Hash -eq "def456" }

    • Use WMI for IOC Searches:

      • Query remote systems for suspicious processes:

        Get-WmiObject -Class Win32_Process -ComputerName RemoteHost | Where-Object { $_.Name -eq "malicious_tool.exe" }

4. Preventing Credential Caching During Investigations

Purpose: To avoid exposing privileged credentials when connecting to potentially compromised systems.

  • Why: Cached credentials can be harvested by attackers, leading to further compromise.

  • Technical Example:

    • Use WinRM for Secure Connections:

      • Connect to remote systems using WinRM, which does not cache credentials:

        Enter-PSSession -ComputerName RemoteHost -Authentication Negotiate

    • Avoid Tools That Cache Credentials:

      • Be cautious with tools like PsExec, which may cache credentials if used improperly:

        # Unsafe: PsExec caches credentials when explicit credentials are provided
psexec \\RemoteHost -u AdminUser -p Password cmd.exe

# Safe: PsExec does not cache credentials when used in the current user session
psexec \\RemoteHost cmd.exe

    • Verify Logon Types:

      • Ensure connections use logon type 3 (Network Logon), which avoids credential caching:

        Get-WinEvent -LogName "Security" | Where-Object { $_.Id -eq 4624 -and $_.Properties[8].Value -eq 3 }

5. Obtaining IOCs from Third Parties

Purpose: To leverage external intelligence for known adversaries or attacks.

  • Why: Third-party IOCs can provide valuable context and help identify related activity.

  • Technical Example:

    • Query Threat Intelligence Feeds:

      • Use APIs to retrieve IOCs from threat intelligence platforms:

        curl -X GET "https://api.threatintelligenceplatform.com/v1/iocs" -H "Authorization: Bearer YOUR_API_KEY"

      • Integrate IOCs into SIEM tools for real-time detection:

        index=security_logs src_ip="192.168.1.100" OR file_hash="abc123"

Conclusion

Indicators of compromise (IOCs) are foundational to effective incident investigations. By documenting IOCs using standardized formats like OpenIOC and Yara, organizations can ensure consistency and interoperability. Deploying tools like PowerShell and WMI enables scalable IOC searches, while careful tool selection prevents credential exposure during investigations.

PreviousInitial Investigation DataNextIdentification Of New Leads & Impacted Systems

Last updated