Actually we often see that during lateral movement attackers access systems, run their tools remotely, copy the output, delete the output files and leave no file system traces behind. Our scanners use the locations mentioned above and others to detect them although all the files have already been removed from disk. That’s the „freestyle“ method.
The same counts for the C2 IOCs. The „compulsory“ plain method would check the system’s network connections.
The „freestyle“ method also includes checking for these C2 IOCs in the following locations:
- Process memory (C2 strings loaded and decrypted in process memory)
- Log files (web server access logs, Windows firewall log file, AV module log file …)
- Hosts file
- Files (in backdoor config files on disk)
- Registry (hard coded C2 server in registry key)
It is sad to see great indicators from expensive feeds used into tools that do „IOC scanning“ the „compulsory“ way missing so many interesting spots.
If all you have is a hammer, everything looks like a nail.
So – the next time when someone tells you that their tool checks for IOCs on the endpoint, your question should be „How and where do you check for these IOCs?“.