QeeqBox

Category: Security Operation

  • Indication of Pivot

    Indication of Pivot (IoP)

    An Indication of Pivot, also known as a Lateral Movement Indicator, refers to signs that an attacker is moving from one system to another within a network after gaining initial access. This indicates that the attacker is expanding their control by utilizing compromised accounts, remote administration tools, shared resources, or internal communication paths to access additional hosts, applications, or sensitive systems. Instead of remaining on the initially compromised machine, the attacker “pivots” deeper into the environment. This allows them to increase their privileges, locate valuable data, establish persistence, or prepare for a broader compromise.

    Key Characteristics

    • Occurs After Initial Compromise: This phase happens once the attacker has gained access to at least one system within the network.
    • Indicates Exploration or Spreading: This suggests that the attacker is moving between systems in search of additional access points or valuable targets.
    • Critical Sign of Escalation Toward Full Environment Compromise: This shows that the attack is advancing toward broader control over the network.
    • Focuses on Internal Lateral Movement Activity: This highlights suspicious behavior as attackers navigate between hosts using stolen credentials or remote tools

    Examples

    • Internal remote login attempts between hosts
      • Earth Lusca (APT)
      • powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list – property * | findstr “Address””
    • Authentication using stolen or new credentials
      • Stolen Legacy VPN Credentials
        • User/Password: test,IWQ1rv04VFiXSCFU (leaked passwords on the dark web)
        • VPN Server: legacy-vpn.exmaple.local
        • Login Time: 03:12 AM
        • Source IP: 1.2.3.4 (unrecognized ASN, could be free tire hosted on famous cloud service)
        • Device: Unknown
    • Access from a system that normally shouldn’t connect to another
      • Canary Token: database_settings.xlsx
      • database_settings.xlsx is accessed on 4/26/2025 by PC201823
    • Use of tools like PsExec, WMI, WinRM, etc.
      • wmic /node:SERVER01 process call create “powershell.exe Get-Process”
      • psexec.exe \\server01 cmd.exe
      • Enter-PSSession -ComputerName SERVER01
      • Invoke-Command -ComputerName SERVER01 -ScriptBlock { Get-Process }
    • Repeated authentication failures
      • HermeticWizard (a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec)
      • HermeticWizard Spreader (5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48)
      • rundll32 <spreader> #1 -s <HermeticWizard> – i <IP>
      • Multiple failed logins:
        • User: root
        • Source IP: 10.1.2.99
        • Attempts: 100+ in 1 minutes

  • Indicators of Attack

    Indicators of Attack (IoA)

    Indicators of Attack (IoAs) are behavioral signs that suggest an attack is either in progress or being attempted. Unlike Indicators of Compromise (IoCs), which provide evidence after a breach has occurred, IoAs concentrate on detecting suspicious behaviors, tactics, and techniques used by attackers in real-time.

    IoAs assist security teams in identifying malicious activities at an earlier stage in the attack lifecycle. Instead of searching for known malicious artifacts, IoAs focus on monitoring how attackers operate. This makes IoAs particularly valuable against advanced persistent threats (APTs), fileless malware, insider threats, and zero-day attacks, which may not have recognizable signatures or hashes.

    Rather than depending on static indicators, such as known malicious IP addresses or file hashes, IoAs evaluate abnormal or suspicious activities. These activities can include attempts at privilege escalation, unusual command executions, lateral movements between systems, credential dumping, persistence techniques, or suspicious authentication behaviors.

    Key Characteristics

    • Proactive: Emphasizes the detection of suspicious behavior as it occurs, which aids in identifying attacks early in their lifecycle.
    • Behavior-Anomaly Focus: Identifies unusual patterns of activity instead of relying solely on known malicious signatures or artifacts.
    • Early Attack Detection: Allows security teams to respond while an attack is ongoing, thereby minimizing potential damage.
    • Based on Attacker Tactics, Techniques, and Procedures (TTPs): Concentrates on understanding how attackers operate rather than just the tools they employ.

    Examples

    • PowerShell execution with encoded commands
      • Emotet Downloader (ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014)
      • powershell.exe -w hidden -en JABBHoAe…
    • Suspicious execution chain
      • Emotet Downloader ff76ff1440947e3dd42578f534b91fdb8229c1f40fed36a3dd5688dbc51f0014
      • winword.exe -> powershell.exe -> 937.exe
    • Privilege escalation
      • Digital Eye (APT)
      • bK2o.exe used for pass-the-hash (Similar to mimikatz)
    • Credential Dumping
      • FIN13 (APT)
      • procdump.exe -ma lsass.exe lsass.dmp

  • Indicators of Compromise

    Indicators of Compromise (IoC)

    Indicators of Compromise (IoCs) are pieces of forensic evidence or observable data that suggest a system, network, or account has been compromised by malicious activity. IoCs are typically discovered during or after a cybersecurity incident and are used by security teams to identify, investigate, and contain attacks. 

    IoCs are considered reactive security indicators because they confirm that suspicious or malicious activity has already occurred. Security analysts use them to trace attacker behavior, detect infected systems, block known threats, and improve future defenses. 

    These indicators are often static and signature-based, which means they rely on previously identified malicious artifacts, such as known malware file hashes, attacker-controlled IP addresses, suspicious domains, registry modifications, or unauthorized file changes. Because attackers frequently change their infrastructure and malware signatures, IoCs can quickly become outdated. As a result, they are usually most effective for detecting known threats rather than new or evolving attacks.

    Key Characteristics

    • Reactive: They are identified after an attack has already occurred and are used to confirm and investigate a breach. They indicate that a malicious event has taken place.
    • Confirms something bad has already happened: They provide evidence of a compromise or malicious activity, such as known malicious files, IP addresses, or unauthorized system changes.
    • Often signature based: They rely on established patterns or indicators (such as hashes or domains). This makes them effective for detecting known threats but less useful against new or evolving attacks.

    Examples

    • Malware hashes
      • NetWalker Ransomware (Double-Extortion)
      • SHA256: 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
    • Suspicious file changes
      • NetWalker Ransomware (Double-Extortion)
      • File: C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe
    • Registry modifications
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      • Value: “f7ccbf3501” = “C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe”
    • Malicious IPs/domains
      • Emotet (8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b)
      • Traffic: 10.1.0.99 -> 5.2.136.90 (known Emotet C&C server)
    • Unexpected processes
      • Lucifer (66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e)
      • Action: schtasks /create /sc minute /mo 1 /tn “QQMusic” /tr %SAMPLEPATH% /F