Here’s a breakdown of each indicator:
- Detection Tools: Some tools that can detect hash values of files are HashMyFiles, HashTab, and VirusTotal.
- Detection Websites: Some websites that can check hash values of files against known malware databases are VirusTotal, Malware Hash Registry, and MalShare.
- Examples: An example of a hash value of a malicious file is
0a9f8c0d9f0a9f8c0d9f0a9f8c0d9f0a, which is the MD5 hash of the WannaCry ransomware.
2. IP Addresses (EASY):
Used as identifiers, IP addresses can be concealed using an anonymous proxy service (like Tor) or changed frequently, employing tactics like Fast flux.
- Detection Tools: Some tools that can detect IP addresses of malicious hosts or domains are Wireshark, Nmap, and Snort.
- Detection Websites: Some websites that can check IP addresses of malicious hosts or domains are AbuseIPDB, IPVoid, and Shodan.
- Examples: An example of an IP address of a malicious host is
185.163.45.70, which is associated with the Emotet malware.
3. Domain Names (SIMPLE):
Registering and hosting domains (e.g., “internetbadguys.com”) or subdomains (e.g., “exploitkit.internetbadguys.com”) can be part of the adversary’s attack infrastructure. They can bypass controls using techniques like Domain Generated Algorithms (DGAs).
- Detection Tools: Some tools that can detect domain names of malicious hosts or domains are DNSQuerySniffer, DomainTools, and Cisco Umbrella.
- Detection Websites: Some websites that can check domain names of malicious hosts or domains are DomainTools, Whois, and ThreatCrowd.
- Examples: An example of a domain name of a malicious host is
hxxp://internetbadguys.com, which is a known phishing domain.
4. Network Artifacts (ANNOYING):
Determining suspicious or malicious activity beyond user devices, including Internet of Things (IoT) devices. Examples include patterns based on network activity (C2 information), Uniform Resource Identifier (URI) patterns, and certificates of use.
- Detection Tools: Some tools that can detect network artifacts of malicious activity are Bro, Suricata, and SolarWinds Threat Monitor.
- Detection Websites: Some websites that can check network artifacts of malicious activity are ThreatMiner, URLVoid, and SSL Labs.
- Examples: An example of a network artifact of malicious activity is
hxxp://internetbadguys.com/redirect.php?id=123456, which is a malicious URI pattern that redirects users to phishing sites.
5. Host Artifacts (ANNOYING):
Indicators like artifacts in the registry, scheduled tasks, or files dropped within the file system signaling malicious activity.
- Detection Tools: Some tools that can detect host artifacts of malicious activity are Autoruns, Process Explorer, and Sysmon.
- Detection Websites: Some websites that can check host artifacts of malicious activity are ThreatExpert, Hybrid Analysis, and Any.Run.
- Examples: An example of a host artifact of malicious activity is
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe, which is a registry key that runs a malicious executable at startup.
6. Tools (CHALLENGING):
Software brought by adversaries for various activities, such as creating backdoors for a Command and Control (C2) channel, network sniffers, and password crackers.
- Detection Tools: Some tools that can detect tools used by adversaries are Volatility, YARA, and Cuckoo Sandbox.
- Detection Websites: Some websites that can check tools used by adversaries are VirusTotal, Malpedia, and MalwareBazaar.
- Examples: An example of a tool used by adversaries is Mimikatz, which is a tool that can dump passwords from memory.
7. Tactics, Techniques and Procedures – TTPs (TOUGH):
The tactic describes the behavior, the technique provides details from the tactic’s perspective, and the procedure delves deep into the technique itself. For instance, the Tactic is “Discovery,” and the technique is “Network Service Scanning.”
- Detection Tools: Some tools that can detect TTPs used by adversaries are MITRE ATT&CK Navigator, Red Canary Atomic Red Team, and Sigma.
- Detection Websites: Some websites that can check TTPs used by adversaries are MITRE ATT&CK, ATT&CK IQ, and ThreatConnect.
- Examples: An example of a TTP used by adversaries is Credential Dumping, which is a technique that involves obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software."
