Unit I
Introduction to Malware Analysis
Lectures 1โ4 | Cyber Threats, Malware Basics, Analysis Types, Reverse Engineering
Cyber Threat & Threat Landscape
LEC-1
Definition
A cyber threat is any malicious act that seeks to damage, steal, or disrupt digital systems. It involves a threat actor exploiting a vulnerability through malicious activity .
Threat Landscape
The threat landscape is the entire scope of potential and recognized cybersecurity threats affecting users, organizations, industries, or a time period. It is dynamic โ it changes whenever new events shift the context (e.g., COVID-19 pandemic, Russia-Ukraine conflict).
Frequently Asked:
List key elements of a cyber threat. Answer: Threat actors, malicious activity, and vulnerability โ all three must be present.
Key Threat Landscape Factors
- Increasingly sophisticated tools & methods
- Greater reliance on SaaS/IT products
- Dark web enabling cybercrime profits
- Greater availability of hacker skills/finances
- Global events (pandemic, war)
- Faster software releases
- IoT device proliferation
Threat Actors & Motivations
- Hackers (Black/White/Grey hat): Challenge, gain, bragging rights
- Cybercriminals: Financial gain (ransomware, fraud)
- Nation-State (APTs): Espionage, sabotage, national interest
- Insiders: Revenge, data theft
- Hacktivists: Political/ideological agenda
- Script Kiddies: Fun/recognition using existing tools
Current Threat Types
- Malware (viruses, worms, trojans, ransomware)
- Advanced Persistent Threats (APTs)
- Phishing / Social engineering
- Ransomware attacks
- Zero-day vulnerabilities
- DDoS / DoS attacks
- MITM attacks
- Supply chain attacks
- IoT vulnerabilities
- Insider threats
Detailed Threat Types (Exam-Important)
APT (Advanced Persistent Threat)
- Targeted, prolonged attack by well-funded groups
- Goal: stay hidden for months/years to steal data
- Examples: Cozy Bear (APT29), Fancy Bear (APT28), Lazarus Group
- Highest risk โ targets critical infrastructure
Ransomware
- Encrypts victim files, demands ransom (usually Bitcoin)
- WannaCry (2017): Exploited Windows EternalBlue vulnerability
- NotPetya (2017): Masqueraded as ransomware but was actually a wiper
- Impacts CIA triad
Zero-Day Exploit
- Targets unknown vulnerability (vendor unaware)
- No patch available at time of attack
- Example: CVE-2021-40444 (MSHTML, Office ActiveX)
- Most dangerous because no defense exists immediately
Supply Chain Attack
- Compromise via trusted 3rd-party software/hardware
- Attacker injects malicious code into software updates
- Famous example: SolarWinds Orion attack
- Others: ASUS Live Update, CCleaner, Codecov
Impact of Cyber Threats
| Level | Impacts |
|---|---|
| Individuals | Financial loss, data breach, identity theft, disruption of daily life, reputational harm |
| Organizations | Financial losses (ransom, legal fees), operational disruption, data loss, reputational damage, regulatory fines (GDPR, HIPAA) |
| Nations | National security risks, critical infrastructure disruption, economic instability, political interference, election disruption |
Protection Strategies
Technical Controls
- Firewalls & IPS/IDS
- Multi-factor authentication (MFA/2FA)
- Regular patching & updates
- Anti-virus software
- Attack surface management
- Encryption
Non-Technical Controls
- Employee awareness training
- Incident response plans
- Regular threat assessments
- Penetration testing
- Robust policies & procedures
- Data backup routines
What is Malware Analysis?
LEC-2
Definition
Malware Analysis is the systematic, methodical process of studying malicious software to understand its behavior, structure, purpose, and impact. It's like a detective deconstructing a crime scene โ understanding what the malware does, how it operates, and who created it.
Primary Objectives of Malware Analysis
Core Goals
- Identify what the malware is designed to do
- Understand how it infects and propagates
- Detect persistence mechanisms
- Extract Indicators of Compromise (IoCs)
- Support incident response & digital forensics
- Enhance threat intelligence databases
Why It's Needed
- Identify active threats targeting systems
- Develop effective defenses (AV signatures, IDS)
- Mitigate impact after infection
- Support forensic investigations & legal proceedings
- Improve cybersecurity practices continuously
- Enhance community-wide awareness
Infection Methods โ How Malware Spreads
Infection Vectors
- Drive-by downloads: Auto-download visiting malicious sites
- Email attachments: Malicious files disguised as documents
- Phishing links: Fake websites trick users into clicks
- USB/Removable drives: Auto-execute on plug-in (baiting)
- Software vulnerabilities: Exploiting unpatched software
- Malvertising: Malicious online ads
- Botnets: Infected devices spread more malware
- Social engineering: Psychological manipulation
- P2P Networks: Malware disguised as media/software
- Mobile apps: Rogue apps with excessive permissions
Anatomy of Malware โ The 8-Stage Lifecycle
Very Frequently Asked:
Explain the malware lifecycle. Know all 8 stages in order.
1. Design & Development
โ
2. Deployment
โ
3. Infection
โ
4. Propagation
โ
5. Execution & Activity
โ
6. Evasion
โ
7. Persistence
โ
8. Termination
| Stage | Key Activities | Important Detail |
|---|---|---|
| 1. Design & Development | Objective setting, code crafting, evasion techniques embedded, testing against AV | Polymorphism, encryption, packing used to evade AV |
| 2. Deployment | Target selection, delivery vector, exploitation, C&C setup | Lateral movement begins here |
| 3. Infection | Initial execution, payload delivery, backdoor creation | Covering tracks by altering logs |
| 4. Propagation | Self-replication, network exploitation, phishing campaigns | WannaCry spread via EternalBlue exploit |
| 5. Execution & Activity | Data theft, ransomware encryption, crypto-mining, DDoS | Most destructive phase |
| 6. Evasion | Obfuscation, rootkits, polymorphism, anti-debugging, memory-only execution | Anti-VM and anti-sandbox checks |
| 7. Persistence | Registry modifications, scheduled tasks, service hijacking, DLL injection, bootkit | Survives reboots and cleanup |
| 8. Termination | Self-destruction, log erasure, dormancy, chain reactions | Some malware stays dormant for future use |
Persistence Mechanisms (Very Exam-Important)
Persistence Techniques
- Registry modifications: Startup keys execute malware on boot
- Scheduled tasks: Run at specific times/events
- Bootkit (MBR/VBR): Loads before OS โ deepest persistence
- System file replacement: Replace trusted files
- Service hijacking: Run with elevated privileges
- DLL injection/hooking: Inject into legitimate processes
- Browser extensions: Auto-run on browser start
- WMI event abuse: Trigger on system events
- Logon scripts: Re-activate on every login
- Continuous C&C updates: Server maintains persistence
Types of Malware Analysis
LEC-3
Top Exam Topic:
Compare Static, Dynamic, and Hybrid analysis. Know definitions, advantages, disadvantages, and use cases for each.
Static Analysis
- Definition: Examine malware WITHOUT executing it
- Asks: "What is the malware CAPABLE of doing?"
- Extracts: file hashes, strings, IP addresses, headers, metadata
- Tools: IDA Pro, Ghidra, PEview, strings utility
- โ Very safe (no execution risk)
- โ Fast initial analysis
- โ Misses runtime-only behaviors
- โ Limited against obfuscated malware
Dynamic Analysis
- Definition: Execute malware in an isolated sandbox
- Asks: "What is the malware DOING?"
- Observes: real-time behavior, network activity, file changes
- Tools: Cuckoo Sandbox, Wireshark, Process Monitor, OllyDbg
- โ Reveals hidden/runtime behaviors
- โ Deeper visibility than static
- โ Malware can detect sandbox and hide
- โ Resource intensive
Hybrid Analysis
- Definition: Combines BOTH static and dynamic methods
- Best of both worlds
- Effective against zero-day and unknown threats
- Static analysis applied to runtime artifacts (memory dumps)
- โ Highest IOC extraction
- โ Detects zero-days and sophisticated malware
- โ Very low evasion risk
- โ Slower than individual methods
| Feature | Static | Dynamic | Hybrid |
|---|---|---|---|
| Code Execution | โ No | โ Yes | โ Yes |
| Environment | Offline | Sandbox/VM | Sandbox + offline |
| Speed | Fast | Moderate | Slower |
| Safety | Very safe | Safe (isolated) | Safe |
| Detects Obfuscation | Limited | Good | Excellent |
| Zero-Day Detection | Low | Medium | High |
| Malware Evasion Risk | None | Possible | Very low |
| Indicators Found | Hashes, strings | Behavior, network | All IOCs |
| Best Use | Initial analysis | Behavior study | Advanced threat detection |
Common Malware Evasion Techniques
Evasion Techniques
- Obfuscation: Deliberately complex code to hide intent
- Encryption: Encrypts payload; decrypts only at runtime
- Polymorphism: Code changes form each infection but same function
- Metamorphism: Completely rewrites itself โ harder to detect
- Packing: Compress & add decompression stub
- Rootkit: Hides at kernel level โ files, processes, network
Malware Signatures & IoCs
Malware Signature Types
- Hash-based: MD5, SHA-1, SHA-256 โ Fast but fails against polymorphic
- String/Pattern-based: Byte sequences โ Slight changes defeat it
- Heuristic/Behavioral: Suspicious action patterns โ Higher false positives
Types of IOCs
- Host-based: Registry changes, unusual files in %AppData%, privilege escalation
- Network-based: Unusual outbound traffic, C&C beacons, DNS anomalies
- Behavioral: Unusual traffic patterns, system crashes, rapid file encryption
| Feature | Malware Signatures | IOCs |
|---|---|---|
| Detection Focus | Known malware files | Evidence of attack |
| Scope | Specific threat | Broader attack activity |
| Method | Pattern matching | Log & activity analysis |
| Usage | Antivirus scanning | SOC & incident response |
Key Tools Summary
Static Analysis Tools:
IDA Pro
Ghidra
PEview
Strings utility
Radare2
Dynamic Analysis Tools:
Cuckoo Sandbox
Wireshark
Process Monitor
OllyDbg
Volatility
Reverse Engineering & Real-World Examples
LEC-4
Definition
Reverse Engineering in malware analysis is the process of deconstructing malicious software to understand its design, functionality, and behavior โ breaking down code to its most fundamental elements.
Why Reverse Engineering?
- Understand malware's true purpose (financial theft? espionage? sabotage?)
- Reveal hidden mechanisms (evasion, deception)
- Develop countermeasures
- Attribution โ identify threat actors by coding patterns
Challenges
- Complexity โ layers of obfuscation & encryption
- Time-consuming โ especially obfuscated samples
- Evasion โ malware detects analysis & self-destructs
Case Studies (Exam-important)
BlackCat Ransomware
- First appeared Nov 2021, compromised 100+ organizations
- Gains access via compromised user credentials
- Abuses Active Directory & Group Policy Objects (GPO)
- Uses phishing, vulnerability exploitation, stolen credentials
- Difficult to decrypt โ sophisticated encryption
- Lesson: Importance of MFA, patching, disaster recovery
MetaStealer Malware
- Malware-as-a-Service (MaaS) infostealer
- Targets Windows & Intel-based macOS systems
- Steals login credentials, credit card details
- Sends to attacker's C2 server
- Distributed via phishing, cracked software, SEO poisoning
- Defense: Dedicated password manager, hardware MFA
Unit II
Static Analysis Techniques
Lectures 5โ8 | File Structure, PE Headers, Strings, Disassembly, Obfuscation
File Structure Analysis & PE Headers
LEC-5
Static Analysis Flow
Static analysis examines a file's internal structure without executing it . It reveals: file organization, malicious sections, and creator intent. Analyzed through: File Header โ File Resources โ File Footer .
File Header Analysis
Headers are like "ID cards" of executable files. They provide preliminary understanding of the file.
Header Elements
- Magic Number (File Signature): Unique bytes identifying file type
- Version Information: Tool/compiler used to create it
- Timestamps: Creation, modification, compilation dates (can be faked!)
- Section Details: .text (code), .data (globals), .rsrc (resources), .reloc (linking)
Common Magic Bytes
-
4D 5A(MZ) โ Windows PE executable (.exe/.dll) -
50 4B 03 04(PK) โ ZIP archive -
89 50 4E 47โ PNG image -
25 50 44 46โ PDF file - Magic bytes help verify file type and detect fake extensions
PE (Portable Executable) Header Analysis
Frequently Asked:
Explain PE file structure. Name its 3 main components and their roles.
1. DOS Header
-
Magic number
MZโ indicates DOS compatibility - DOS stub program: displays "This program cannot be run in DOS mode"
- Last 4 bytes: offset to PE header
2. COFF Header
- Machine: target architecture (x86, x64, ARM)
- Number of sections: partitions in the file
- Timestamp: compilation time
- Characteristics: DLL? Executable? System file?
- Size of optional header
3. Optional Header
-
Magic number
PE\0\0 - Address of entry point: where execution begins
- Image base address
- Section alignment, file alignment
- Subsystem (Windows GUI or console)
PE Section Headers (Key Sections)
| Section | Contains | Characteristics |
|---|---|---|
.text
|
Executable code |
0x60000020
โ code + readable
|
.data
|
Global and static variables |
0xC0000040
โ readable + writable
|
.rsrc
|
Resources (icons, images, strings) | Non-executable data |
.rdata
|
Read-only data | Constants, import/export tables |
.reloc
|
Relocation data | Dynamic linking info |
Red Flags in PE Headers:
Unusually large .data section, obfuscated .text section, packed sections (hydrated, tdb), modified timestamps, suspicious entry point โ all indicate potential malware.
File Footer Analysis
| Aspect | Header Analysis | Footer Analysis |
|---|---|---|
| Location | Beginning (Offset 0x00) | End of file (after EOF) |
| Objective | Validate file structure | Detect hidden/appended data |
| Detects | Fake file types, packing | Appended malware, steganography, polyglot files |
| Key Question | "Is this file structurally honest?" | "Is this file hiding something at the end?" |
Entropy Analysis
Definition
Entropy measures randomness/disorder in data. High entropy = likely encrypted or compressed. Low entropy = plaintext or normal code.
Entropy Significance
- High entropy โ encrypted payload (malware hiding itself)
- Packed/obfuscated code โ high entropy sections
- Differentiates code, text, binary data types
- Anomaly detection: sudden spikes = tampering
- Steganography detection: high entropy in normal images
- Behavioral profiling over time
String Analysis
Definition
String Analysis extracts and examines text strings embedded in executable files. Strings reveal malware's purpose, communication methods, and obfuscation techniques.
What Strings Reveal
- C2 server URLs and IP addresses
- Hardcoded passwords and encryption keys
- File paths being targeted
- Registry keys being modified
- Debugging messages from developer
- API function names
- Error messages and commands
Disassembly, Decompilation & Code Analysis
LEC-6 & 7
| Aspect | Disassembly | Decompilation |
|---|---|---|
| Definition | Binary โ Assembly language instructions | Binary โ High-level C-like pseudo code |
| Output | Assembly code (x86/x64/ARM) | C/C++-like pseudo code |
| Abstraction | Low-level (close to hardware) | High-level (logic & structure) |
| Accuracy | Highly accurate | Approximation (reconstructed) |
| Readability | Difficult โ needs assembly knowledge | Easier for C/C++ familiar analysts |
| Obfuscation Resistance | More reliable | Easily confused by obfuscation |
| Tools | IDA Pro, Ghidra, Radare2 | Hex-Rays IDA, RetDec |
Code Obfuscation Techniques
Definition
Code obfuscation deliberately makes code more complex and convoluted to obscure its intent and hide malicious functionality from analysts and AV tools.
Obfuscation Techniques
- String Encryption: C2 URL stored encrypted, decrypted at runtime
- Control Flow Obfuscation: Extra branching to make flow unpredictable
- Code Fragmentation: Split code into many small pieces
- Mathematical Transformations: Apply math ops to hide constants
- Dummy Code Insertion: Meaningless code to confuse analysts
- Dynamic Code Generation: Code created at runtime
- Variable Renaming: Replace meaningful names with gibberish
- Constant Mutation: Modify numerical constants
Anti-Analysis Techniques
Exam Favorite:
List and explain anti-analysis techniques used by malware.
Anti-Analysis Methods
- Environment checks: Detect VM/sandbox/debugger presence
- Time delay: Sleep 10 mins to bypass sandbox time limits
-
Anti-debugging:
IsDebuggerPresent()โ terminates if detected - Dynamic configuration: Fetch config from remote server at runtime
- Dynamic code execution: Payload generated & executed at runtime
- Polymorphism: Randomly selects different code version each run
- Rootkit techniques: Hides processes/files/registry at kernel level
- Code injection: Inject into legitimate processes
Signature vs. Heuristic Analysis
Signature-Based Detection
- Matches files against database of known signatures
- โ Highly effective against known threats
- โ Fast and reliable
- โ Cannot detect new/zero-day malware
- โ Evaded by slightly modifying code (polymorphic)
Heuristic-Based Detection
- Analyzes behavior rather than matching signatures
- Activity monitoring: file edits, registry changes, network calls
- Scoring: if accumulated suspicious score > threshold โ malicious
- โ Can detect new and unknown malware
- โ Higher false positive rate
Function & API Calls Analysis
Suspicious Windows DLLs & APIs
- ADVAPI32.DLL: RegOpenKeyExW, RegSetValueExW โ Registry persistence, disable security
- USER32.DLL: GetAsyncKeyState, SetWindowsHookEx โ Keylogging, spying
- OLE32/OLEAUT32: COM abuse, URLDownloadToFile โ Download payloads
- BCRYPT/SECUR32: BCryptEncrypt โ Credential theft
- IPHLPAPI: GetAdaptersInfo โ Network recon (steal IP/MAC)
Dangerous API Combinations
- ADVAPI32 + KERNEL32 + USER32 = Persistence + Execution + Keylogging
- IPHLPAPI + WSP_52 = Network exfiltration
- BCRYPT + SECUR32 = Credential theft
-
VirtualAlloc()= Memory allocation for shellcode -
CreateThread()= Execute injected code -
GetAsyncKeyState()= Keylogging -
CreateFile(),WriteFile()= File system manipulation
Cross-Reference & Resource Analysis
Cross-Reference Analysis
- Understand how different malware parts interact
- Trace dependencies and references in code
-
Detect evasion (e.g.,
IsDebuggerPresent()) - Root cause analysis of network/system behaviors
- Vulnerability discovery in malware code
- Code flow analysis โ sequence of operations
Resource Analysis
- Examine embedded non-code data: icons, images, strings, binary
- Icons may mimic legitimate software
- Images may contain hidden data (steganography)
- Text resources may have C2 addresses
- Detect encrypted/compressed resources
- Identify malware variants by comparing resources
Unit III
Dynamic Analysis Techniques
Lecture 9 | Sandbox, Behavior Analysis, Memory Analysis, Code Injection
Sandbox & Behavior Analysis
LEC-9
Sandbox Analysis
A sandbox is an isolated, controlled virtual environment where malware is executed safely to observe its real-time behavior without risking the actual system or network. It's the "safe room" for watching malware operate.
Why Dynamic Analysis is Important
Key Benefits
- Real-time behavior observation
- Uncovers hidden actions only active under specific conditions
- Detects evasion tactics
- Analyzes impact on system resources, files, network
- Identifies IOCs for proactive mitigation
Challenges
- Advanced malware detects sandboxes (anti-sandbox)
- Resource intensive for complex malware
- Only dynamic insight โ needs static analysis too
- Time-aware malware delays execution to escape sandbox
Aspects of Sandbox Analysis
1
Controlled Environment Setup
Isolated VM/sandbox with no connection to real network. Captures OS interactions, network comms, payload delivery.
2
Behavior Monitoring
Track file system changes, registry modifications, process creation, API calls, network activity.
3
Logging Analysis
All events logged; analysts review for suspicious patterns.
4
Network Capture
Capture network traffic: C2 communication, data exfiltration, incoming connections.
5
Code & Memory Analysis
Monitor memory operations, hidden functionalities, internal logic.
Memory Analysis
Definition
Memory Analysis examines volatile memory (RAM) during/after malware execution. It reveals runtime behavior and bypasses limitations of file-based detection. Key tool: Volatility Framework .
Memory Analysis Aspects
- Volatility analysis: extract artifacts from memory dumps
- Process analysis: identify malicious processes, memory footprint
- DLL injection/code injection detection
- Rootkit detection: hidden processes/files in RAM
- Credential & data extraction from memory
- Network artifacts: open connections, protocol details
Code Injection & Hooking Techniques
Exam Favorite:
Explain DLL injection, Process Hollowing, and Thread Injection. Know the difference.
DLL Injection
- Injects malicious DLL into legitimate process
- Leverages host process's privileges and trust
- Makes malicious activity hard to detect
- Defense: monitor unexpected DLL loads, integrity checks
Process Hollowing
- Runs malware code inside a legitimate process's address space
- Empties ("hollows") legitimate process and replaces with malicious code
- Process name looks innocent but behavior is malicious
- Defense: behavior analysis, memory monitoring, integrity checks
Thread Injection
- Creates new thread in another process's address space
- Malicious code runs in context of legitimate process
- Aids stealth and evasion
- Defense: advanced monitoring, behavior analysis, heuristics
Hooking Techniques
Types of Hooks
- API Hooking: Intercepts & redirects function calls to malicious code
- Inline Hooking: Places hooks within process code to redirect execution
- Kernel-level Hooking: Intercepts system calls at OS level โ full system control
- System Call Hooking: Replaces legitimate system call addresses
- Function Hooking: Redirects calls to specific functions
- Memory Hooking: Modifies memory to intercept/alter data
- COM Hooking: Intercepts COM object calls
Dynamic IOC Extraction Tools
Wireshark (network)
Process Monitor (files/registry)
Volatility (memory)
API Monitor (API calls)
CAPE Sandbox
YARA (rules)
Regshot (registry snapshots)
Dumpit (memory images)
TCPDump
Unit IV
Advanced Reverse Engineering
Lectures 10โ11 | Code Analysis, Anti-RE Techniques, ML/AI, Case Studies
Advanced Reverse Engineering & Anti-RE Techniques
LEC-10 & 11
Foundational Principles of Code Analysis
Code Analysis Steps
- Understand code flow: Trace execution paths, loops, conditions
- Identify key functions: Payload execution, persistence, exfiltration
- Examine data structures: How malware organizes data internally
- Detect code anomalies: Obfuscation, suspicious patterns
- Trace API calls: OS interactions (files, registry, network)
- Correlate with dynamic analysis: Combine static + runtime findings
Control Flow Analysis (CFA)
- Studies instruction execution sequence
- Uses Control Flow Graph (CFG) โ visual of all execution paths
- Basic blocks: group of instructions with one entry and exit
- Intraprocedural: within a single function
- Interprocedural: across multiple functions
- Reveals obfuscation & anti-analysis
Anti-Reverse Engineering Techniques
Core Exam Topic:
Know the difference between Packers, Crypters, and Polymorphic techniques.
Packers
- Compress executable files
- Add decompression code (stub)
- Hide original program
- Requires unpacking before analysis
- Purpose: reduce file size AND evade AV
Crypters
- Encrypt malware to avoid detection
- Payload decrypted only at runtime in memory
- AV cannot see the real code
- Often combined with packers
Polymorphic Malware
- Code changes every time it runs
- Creates new variants automatically
- Signature-based detection is ineffective
- Functional behavior stays the same
Anti-Debugging Techniques
Anti-Debug Methods
- Detect debugger presence, alter/terminate behavior
- False outputs, infinite loops, misleading code traps
-
IsDebuggerPresent()API check - SEH chain manipulation
- Stack cookie validation checks
-
INT 0x29โ hardcoded fast-fail crash
Anti-Analysis / Anti-VM
- Registry checks: Sandbox-related registry keys
- Network checks: MAC address patterns of VMs
-
System info:
GetSystemInfo()โ check CPU, memory - Process detection: Scan for Wireshark, Process Explorer
- Time delays: Sleep to bypass sandbox time limits
- User interaction: Mouse movement = real user check
- CPUID checks: Detect virtual CPU features
Role of ML & AI in Malware Analysis
ML/AI Applications
- Enhance detection of anti-RE techniques
- Identify patterns, anomalies, hidden behaviors
- Automated threat detection using trained models
- Detect zero-day attacks via anomaly detection
- Behavior-based malware classification
- Feature extraction, dimensionality reduction
- Adversarial ML: detect evasion attempts
- Predictive analysis of emerging threats
Case Study: NotPetya (2017)
NotPetya Analysis
- Discovered 2017 โ initially appeared as ransomware
- Reverse engineering revealed: actually a WIPER (destroys data)
- Modifies Master Boot Record (MBR) โ irreversible damage
- No real recovery mechanism (fake ransom screen)
- Used EternalBlue exploit for lateral movement
- Caused massive outages: logistics, banking, energy sectors
- Lesson: RE is critical to distinguish ransomware from wipers
Unit V
Indicators of Compromise (IOCs)
Lecture 12 | Types, Analysis Techniques, Detection Methods
IOCs โ Types & Detection Techniques
LEC-12
Definition
Indicators of Compromise (IOCs) are pieces of forensic evidence suggesting a system/network has been breached. They are observable artifacts/patterns linked to security incidents that help in detecting, responding to, and mitigating threats.
Role of IOCs in Cybersecurity
Primary Functions
- Early Threat Detection: Warning signs before escalation
- Incident Response: Understand attack, assess impact
- Attribution & Triage: Associate attacks with threat actors
- Threat Intelligence Sharing: Community-wide defense improvement
- SIEM Integration: Enhance automated detection systems
- Continuous Improvement: Strengthen policies from past incidents
10 Types of IOCs
Exam Must-Know:
Be able to list and explain at least 5 types of IOCs with examples.
1. File-based IOCs
- File hashes (MD5, SHA-1, SHA-256)
- Suspicious file names and paths
- Unusual file size/type mismatches
- Hidden file attributes
- Missing digital signatures
- Embedded malicious objects (macros)
- Encrypted/compressed files hiding payloads
2. Network-based IOCs
- Known malicious IP addresses (C2 servers)
- Suspicious domain names (phishing)
- Non-standard communication ports
- Unusual data transfer volumes (exfiltration)
- Malicious DNS queries, Fast Flux, DGA
- Self-signed/untrusted SSL/TLS certificates
- Traffic from unexpected geographic regions
3. Email-based IOCs
- Suspicious/spoofed sender addresses
- Phishing-related subject lines
- Malicious attachments (malware payloads)
- Phishing/shortened URLs in body
- Manipulated email headers
- Executable attachments with malicious macros
- Unusual timestamps or mismatched sender/recipient
4. Registry-based IOCs
- Unusual/unexpected modified registry keys
- Run/RunOnce entries (persistence)
- Registry values linked to malicious files
- Unauthorized deletion/modification of keys
- Suspicious DLL load point entries
- Newly registered services tied to malware
- Browser Helper Object (BHO) entries
5. Memory-based IOCs
- Suspicious processes / abnormal resource usage
- API hooking and code injection
- Malicious DLLs / shellcode in memory
- Privilege escalation attempts
- Encrypted network connections from memory processes
- Heap/stack anomalies (buffer overflows)
- Unusual execution patterns (unexpected jumps)
6โ10. Other IOC Types
- Behavioral IOCs: Unusual system/user behavior patterns
- User-Agent String IOCs: Forged browser agent strings
- Digital Certificate IOCs: Revoked/suspicious certificates
- Payload Analysis IOCs: Malicious code patterns in payloads
- Endpoint Security IOCs: AV alerts, quarantine events
IOC Analysis Techniques
| Technique | How It Works | Pros | Cons |
|---|---|---|---|
| Signature-based | Match against known threat signatures database | Fast, reliable for known threats | Cannot detect zero-day; evaded by minor changes |
| Anomaly-based | Compare vs. baseline "normal" behavior | Detects unknown/zero-day threats | High false positive rate; complex config needed |
| Heuristic analysis | Algorithms examine behavior to assess maliciousness | Detects new/emerging threats | High false positives; resource intensive |
| Behavioral analysis | Monitor system for unusual actions (encryption, unauthorized access) | In-depth insight into harmful actions | Requires extensive logging; data intensive |
| Sandbox analysis | Execute suspected malware in controlled environment | Safe, detailed behavior report | Advanced malware can detect & evade sandbox |
| Threat intelligence | Aggregate/analyze data about threats from multiple sources | Broader context, predict attacks | Dependent on intelligence quality; costly |
| Network traffic analysis | Examine packets for unusual patterns | Spots suspicious data flows | Overwhelming without proper tools; privacy concerns |