Collaborate Disseminate
I’m looking for a tool that will enumerate the IP addresses that a system is connecting to. This is mainly for forensic purposes, to gather IOCs. I know we can run a netstat on windows, but would like something that is compre… Continue reading How do I list IP addresses my system is connecting to? [on hold]
Sandboxes are used for automated extraction of indicators of compromise (IoCs) that can be used to write signatures. Can this signature then be used, for example, on an IPS system to block certain actions?
I published the following diary on isc.sans.edu: “Querying DShield from Cortex”: Cortex is a tool part of the TheHive project. As stated on the website, it is a “Powerful Observable Analysis Engine”. Cortex can analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services.
[The post [SANS ISC] Querying DShield from Cortex has been first published on /dev/random]
How long should IOCs be monitored? Are there best practices or other reasonings?
I would think monitoring IOCs indefinitely is not ideal. Perhaps 90 days would suffice?
I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise” is published. Those indicators
[The post [SANS ISC] The real value of an IOC? has been first published on /dev/random]
I published the following diary on isc.sans.org: “Extending Hunting Capabilities in Your Network“: Today’s diary is an extension to the one I posted yesterday about hunting for malicious files crossing your network. Searching for new IOCs is nice but there are risks of missing important pieces of information! Indeed, the first
[The post [SANS ISC] Extending Hunting Capabilities in Your Network has been first published on /dev/random]
Continue reading [SANS ISC] Extending Hunting Capabilities in Your Network
I’m currently trying to find indicators of compromise in order to use them with Redline. I just can’t seem to find any other sources than:
https://www.iocbucket.com/
https://openiocdb.com/
https://github.com/sroberts/awesom… Continue reading Looking for a list of indicators of compromise [on hold]
How can/should I set a rank/IoC, using a fixed-size interval, of file if I have its signatures/behaviors list (persistence ads, registry editing, bypass firewall and so on) and number of times each behavior happens (persisten… Continue reading Setting the rank of malware behavior analysis results
I’m struggling to understand what is an indicator of compromise.
I found different definitions on the web but I still don’t know.
The definitions I found are:
1 – Something (file, network connection) that indicates a system … Continue reading What is an indicator of compromise?
I’m struggling to understand what is an indicator of compromise.
I found different definitions on the web but I still don’t know.
The definitions I found are:
1 – Something (file, network connection) that indicates a system … Continue reading What is an indicator of compromise?