tools tips

SecurityTrails Blog · Feb 06 · by Esteban Borges

What is an IoC (indicator of compromise)?

Reading time: 11 minutes

Managing cybersecurity is a never-ending process that involves hardening servers, writing secure code, detecting and responding to known and unknown network security incidents, security auditing, and a very large “et cetera.” All of this is handled by different cybersecurity teams such as system administrators, security operation centers and computer emergency response teams, as well as computer security incident response teams.

Part of this defensive job is to analyze and explore servers, networks and apps to see if there are any IoCs (indicators of compromise) there. IoCs are a top priority for any organization’s security team, as they offer direct connection to mitigation strategies, let security researchers and digital forensic analysts understand the risks they’re facing, and guide them toward proper action to prevent future incidents.

SSH attacks, HTTP floods, SQL injections, DNS attacks.. the types of attacks performed by cybercrime agents seem endless. That’s why getting the right insight about IoCs is critical when it comes to protecting your valuable online assets.

Let’s learn more about indicators of compromise, and the top IoC scanner tools to help you during your journey in information security.

What is an indicator of compromise?

An indicator of compromise is a way to identify potential forensic evidence found on a remote or local system, which could lead to detecting and confirming possible intrusion.

Perfect IoC examples could be an unusual open port, a file that doesn’t belong to a system directory, a perl or php file that has unknown application code inside, a virus, malware, a backdoor, or, simply, system logs containing abnormal traffic patterns.. There are so many IoCs that it’s nearly impossible to name them all.

The truth is that IoCs are those little pieces of data that help IT managers and system and network administrators fight different types of cybercrime. Sometimes they’re easy to detect, because crackers can leave a lot of evidence when they try to hack you; on other occasions, they can be very clever with covering their tracks. The latter case results in requiring longer investigations to find the root of the intent or the possible security breach you’re investigating.

IoCs can include compromise at different levels, such as user level or administrator level (root). In some systems that use web-based control panels such as cPanel/WHM and Plesk, the level of compromise can vary, including email accounts, reseller accounts, user accounts, and finally the root account.

A common problem many researchers and administrators face is the difference between “indicators of compromise” and “indicators of attack.” While they sound similar, they are not.

As the name implies, indicators of compromise are essentially forensic data involving breadcrumbs left by penetrators that could lead to the conclusion that the system has been compromised. On the other hand, indicators of attack could simply be system or network evidence that the server is facing an incoming attack, such as flood, SQL injection, brute force, etc.

What are indicators of compromise used for?

IoCs are used primarily for forensic analysis, as well as for security research from a blue team point of view. They’re mostly used to detect whether a real intrusion took place on a remote server or network, and to investigate the impact level or determine if it was merely a failed attack attempt.

In plain English, IoCs help information security analysts, engineers and administrators detect, prevent and mitigate any kind of malicious activity.

Top 5 IoC scanner tools

Rastrea2r

Rastrea2r, pronounced ‘rastreador’ (from Spanish), is a ‘hunting’ open-source command-based IoC scanner tool that allows security professionals and SOC teams to easily detect IoCs in minutes by collecting and parsing all the system data, for later analysis and reporting.

Its main features include:

  • Supported OS: Microsoft Windows, Linux and Mac OS
  • Ability to create quick system snapshots for forensic analysis
  • Collect web browser history on Google Chrome, Internet Explorer and Mozilla Firefox
  • Memory dump analysis capabilities
  • YARA scan for running system processes in memory, as well as for file and directory objects
  • Prefetch analysis tool for Windows apps
  • Push results to a restful server using HTTP

Unlike other IoC scanner tools, Loki does require a few system dependencies:

- yara-python==3.7.0
- psutil==5.4.6
- Requests=2.19.1
- Pyinstaller=3.3.1

The installation and execution process depends entirely on the operating system you are using. For full instructions, please refer to the official documentation.

Fenrir

Fenrir is another cool IoC scanner based on bash scripting. Its main features include:

  • Download and run, no installation needed
  • Uses native Unix and Linux system tools, so no dependencies are needed
  • Support for several type of exclusions from the main scan (file size, directory name, file extension, etc)
  • Runs on Linux, Unix and OS X systems

What IoCs can be found by using Fenrir?

  • Strange file names
  • Detect suspicious strings
  • Detect C2 server connections
  • File hash comparison such as MD5, SHA1 and SHA256

Its installation is pretty easy—just download the package, extract it, then type:

./fenrir.sh /var/log

You can replace “/var/log” to scan any other directory you need.

Loki

For detecting IoCs on Windows systems, Loki is one of the most classic tools available. Loki will help you find IoCs by using different techniques such as:

  • Hash check (MD5, SHA1, SHA256)
  • File name checking
  • Full file path/name regex match
  • YARA rule & signature checks
  • C2 connection check
  • Sysforensics process check
  • SAM dump check
  • DoublePulsar backdoor check

To test it, simply follow these steps:

  • Download the latest release from the GitHub repo

  • Run the program to update the signature database

  • Specify a directory you would like to check (OS directory, removable media drive, etc.)

  • Close the app and run it again, this time right-click and choose ‘Run as Administrator’

Once it finishes, you’ll have your IoC report ready to be analyzed.

Lynis

While Lynis is not officially an IoC scanner tool, it contains a lot of features that can help you find out if your Linux/Unix system has been compromised or not.

This security auditing tool will perform a deep security scan that will help you see how hardened your system is, and if there are any signs of a security breach.

Some of its main features include:

  • Free and open source
  • Multi-platform support (Linux, BSD, macOS, Solaris, AIX and others)
  • No dependencies needed, just download and run
  • Includes up to 300 security tests
  • Support for modern security compliance tests
  • Extended report log including suggestions, warnings and critical items
  • Report on screen

Its installation is pretty straightforward: just download the package from GitHub, run the tool with the ‘audit system’ options and it will perform a full system security audit before reporting the results to the standard output.

Tripwire

This is one of the oldest and most reliable open-source security and data integrity tools for Unix and Linux systems. While it’s not a 100% IoC-oriented scanner tool, it can help you find and monitor as well as alert you to any file or directory changes, which can ultimately lead you to finding an IoC.

Tripwire works by generating a database of all your existing files and directories, and from that starting point, it can begin checking for file system changes by monitoring several attributes such as file hash, user and group permission or ownership.

It also allows you to configure several rules so it doesn’t alert you when an authorized user performs a system upgrade and multiple files/directories are modified, reducing the noise considerably.

The easiest way to install the open-source version of Tripwire is by using pre-compiled packages in .deb or .rpm format, or by downloading the source code and compiling it, as shown below:

git clone https://github.com/Tripwire/tripwire-open-source.git
cd tripwire-open-source/
sh installer/install.sh

And that’s it! The installer will require several steps to be completed, and once you do that, it’s ready to be configured.

After you finish the software configuration, you can easily execute it by running:

./tripwire --init

This will create a file and directory database for the first time.

This is mandatory the first time you execute the script, as it’s used to create the file and directory database used for further comparisons.

Once that’s finished, you’re ready to perform your first scan by using:

./tripwire --check

How can I prevent IoCs?

At system level, there are multiple things that can be done to harden your system and reduce the chances of finding IoCs. While a lot of SOC teams focus on the system and app hardening while thinking about preventing system intrusions, there is often an equally important unseen area: the infrastructure attack surface.

SurfaceBrowser is an essential tool that works beyond your systems and apps, and will let you explore your entire online infrastructure attack surface within seconds.

This enterprise-grade tool acts as an additional layer to find out more information about your servers, IP addresses, SSL certificates, exposed open ports, domain and subdomain names, associated domains and DNS records.

In short, it will let you detect, analyze and ultimately help you reduce the amount of data exposed to the Internet, allowing you to identify unseen assets, technology and software that could ultimately pose a real threat to your organization.

Discover all your domain and subdomain names

Are you wondering how many subdomains this tool is able to discover? Literally thousands. With Yahoo, for example, it was able to find up to 35K subdomain names.

Imagine how many vulnerable projects, dev test servers and apps can be found with this sort of capability.

In the following test, we filtered for subdomains that contain the word ‘dev’ and found 357 in total. Not bad:

Domain and Subdomain names

As you can see, you can filter by hosting company or IP address, discover open ports for each subdomain, and download the results.

Explore current and historical DNS records

Getting the full list of old and current DNS records takes mere seconds. No matter what type of DNS record you need, SurfaceBrowser™ can get any kind of DNS record for you.

This is a screenshot of the current A, AAAA, and MX records for the yahoo.com domain name:

DNS records

Sometimes critical exposed information is found on old DNS records rather than on current ones—the bad guys know this too. You can stay one step ahead and explore old records by DNS record type from a single interface, as shown below:

Critical exposed information

Find all your IP blocks and their open ports

Even with small companies and organizations, and with the adoption of several cloud technologies and services, the number of IP addresses used has increased substantially over the past few years.

And finding all your IP addresses manually can literally take days, if not more. Finding the IP address of each one of your assets, and correlating the services, domain names, subdomains and open ports isn’t easy. Fortunately, SurfaceBrowser™ has done the homework for you, and offers a quick interface where you can not only find all your IP blocks, but also the data behind those IPs.

Total ip blocks

You can filter all the IP block information by Regional Registrar, as well as by IP subnet size, to see only what you really need. Once you’ve filtered your IP blocks, you can visualize the full data by IP block, IP count, unique user agents found, RIR, hostnames, domains and open ports.

Filter ip blocks

As you see in the previous screenshot, it also shows you the full list of open ports that could be directly related to IoCs.

Detect expired SSL certificates

Expired SSL certificates leave your critical areas unprotected by transferring all the data between the browser and the server in an unencrypted way, making it easy for attackers to perform man-in-the-middle attacks.

SurfaceBrowser™ lets you analyze all the SSL certificates for each one of your domain and subdomain names by giving you full SSL data, such as company name, domains or subdomains, SSL issuer, creation and expiration date.

Expired ssl certificates

You can also filter results by company, expiration and creation year, as well as for validity, which makes the job of finding expired SSL certificates even easier.

Filter by company

Summary

Indicators of compromise play a major part in any organization. Whether they’re found by a red team during penetration testing, or during network auditing tasks performed by a blue team, finding an IoC is always a concern.

At the same time however, IoCs give you the opportunity to find unseen critical data that has probably been overlooked, and most important, the time to fix it (if the IoC wasn’t too critical) and take the needed steps to apply mitigation techniques for the future.

As we explored today, a lot of IoC scanners will confirm whether you’ve already suffered a system intrusion. However, when it comes to IoC prevention and apart from system and app hardening, analyzing the attack surface becomes essential.

SurfaceBrowser lets you discover unseen data that you can’t find anywhere else, empowering you to explore and analyze your attack surface in a fast and effective way. You’ll then be able to focus on protecting the exposed critical data from all your assets. Book a demo with our sales team today!

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.