04

Analyzing
Potentially
Malicious
Activity
In this chapter you will learn:

■ How to diagnose incidents by examining network activity

■ How to diagnose incidents by examining host activity

■ How to diagnose incidents by examining application

activity
 4.1 Network-Related Indicators
Some common network-related potential indicators include the following:
• Unexpected protocol usage
• Suspicious DNS
• Unusual network device behavior
• Geographically improbable access
• Unauthorized use of network services
• Malware-related activity
 Bandwidth Consumption
• Bandwidth consumption refers to the amount of data transmitted or received over a
network within a specific period.
• Unusual changes in consumption patterns may indicate potential security incidents,
such as data exfiltration, distributed denial-of-service (DDoS) attacks, or malware
infections.
• It’s essential to establish a baseline for normal bandwidth usage within your
organization.
 Beaconing

• Beaconing is a communication pattern often associated with malware and C2 that

uses periodic, often regular communication between a compromised device and a C2
server.
• Beaconing can be challenging to detect. Staying vigilant and utilizing network analysis
tools are key.
• Focusing solely on specific intervals can lead to both false positives (FPs) and false
negatives (FNs). To address this, cybersecurity analysts should employ a combination
of detection methods and continually refine their approaches to stay ahead of evolving
threats.
 Irregular Peer-to-Peer Communication
• Peer-to-peer (P2P) communication involves data transfer between devices in a network
without relying on a centralized server.
• Irregular P2P communication occurs when devices on a network engage in unusual or
unexpected data transfers. These patterns could suggest attacker lateral movement in
a network.
• Security analysts need to understand both the legitimate and potentially malicious
uses of P2P traffic.
• Some common methods to achieve lateral movement include the following:
PsExec
SSH (Secure Shell)
WMI (Windows Management Instrumentation)
Pass-the-Hash (PtH)
 Rogue Devices on the Network
• Rogue devices are unauthorized or unmanaged hardware connected to your network,
potentially posing significant security risks.
• Here are tools and key use cases that can be used to prevent this:
Endpoint detection and response (EDR)
Network access control (NAC)
Identity and access management (IAM)
IT service management (ITSM)
Configuration management database (CMDB)
 Scans/Sweeps
• Network scanning and sweeping are techniques used by attackers to discover
available network resources, probe for vulnerabilities, and enumerate network
devices.
• Network scanning involves probing individual hosts or network devices to gather
information about open ports, running services, and potential vulnerabilities, while
network sweeping sends packets to a range of IP addresses to identify active hosts
on a network.
• Monitoring ARP queries is very helpful in detecting and managing network scanning
and sweeping.
• Network segmentation is another very helpful technique to mitigate this.
 Unusual Traffic Spikes and Activity on
Unexpected Ports
• Keeping an eye on network traffic patterns for sudden changes in volume or frequency
can help you detect possible security incidents or breaches.
• Anomaly detection techniques, such as algorithms and machine learning, can be
helpful in identifying deviations from normal traffic patterns.
• Network ports are the gateways through which data is transmitted between devices
and systems.
• Activity on unexpected ports refers to network traffic occurring on ports that deviate
from their standard or designated use.
 Network-Related Indicators Summary
Common detection strategies that can be applied across various network-related
indicators:
• Establish a baseline.
• Use network monitoring tools.
• Configure alerts and thresholds.
• Examine the nature of the traffic or activity.
• Review logs and packet captures
• Initiate incident response procedures
 4.2 Host-Related Indicators
Some common host-related potential indicators include the following:
• Unusual login patterns
• Persistence mechanisms related to services
• Unusual user account activity
• Unusual system or application crashes
• Anti-forensic activities
 Capacity Consumption
• In many cases, attacker behavior will also create spikes in capacity consumption on
the host, whether it is memory, CPU cycles, disk space, or local bandwidth.
• The CySA+ exam will expect you to know how to identify these anomalies in a
scenario.
• Analysts should also attempt validate their findings with additional data sources such
as associated log files whenever possible.
• The unusual utilization will be a signal, but your response depends on which specific
resource is being used.
• Some malware, such as a rootkits, will alter its behavior or the system itself so as not
to show signs of its existence in utilities such as Resource Monitor and Task Manager
 (Indicators) Memory
• Persistent high memory consumption.
• Unusual memory allocation.
• Unexpected memory access patterns.
• Memory artifacts.
• Memory injection.
• Memory injection.
 (Indicators) Drive Capacity
• Sudden drop in available free space.
• Unexplained files or directories.
• Unusual file growth.
• Temp files accumulation.
• Disk usage by unauthorized processes.
• Persistent low disk space.
 (Indicators) Processor
• Prolonged periods of high processor usage.
• Unusually high processor consumption by unfamiliar tasks.
• Spikes in processor usage during idle periods.
• Inconsistent processor usage patterns.
• High CPU usage by system processes.
 (Indicators) Network
• Unusual network connections.
• Uncharacteristic network traffic spikes.
• Persistent high network throughput.
• Network traffic to known malicious destinations.
• Unusual port usage.
• Anomalous data transfer volumes.
 Unauthorized Software
The presence of unauthorized software on a system can serve as a strong indicator of
compromise (IoC) or indicator of attack (IoA) in host-related security analysis.
Some strategies to monitor and detect unauthorized software on your network include:
• Implement an application approved list.
• Regular software inventory.
• Endpoint security solutions.
• Endpoint security solutions.
• Monitor for unusual process behavior.
• Centralized software deployment and management
 Malicious Processes
Malicious processes often attempt to disguise themselves to avoid detection, making it
crucial to monitor system activities and identify any unusual or suspicious behavior.
Common techniques for disguising malicious processes include the following:
• Using legitimate-sounding names.
• Masquerading as system processes .
• Hiding process activity.
To monitor and detect malicious processes on your network, consider the following
strategies:
• Use system utilities (ps or netstat Unix-based systems, or Task Manager and Resource
Monitor on Win systems)
• Monitor for unusual process behavior.
• Implement endpoint security solutions.
• Analyze process dependencies.
 Unauthorized Changes
• Unauthorized changes to system configurations, files, or settings can serve as potential
sources of indicators.
• Some common unauthorized changes that might indicate malicious activity include the
following:
Changes to system or application configurations
Unauthorized file modifications
Overwriting or sideloading of DLLs
Changes to security policies or permissions
Modifications to scheduled tasks or services
• To monitor and detect unauthorized changes, consider implementing the following
strategies:
Regularly review logs
Use file integrity monitoring (FIM) tools
 Unauthorized Privileges
• Examples of unauthorized privileges may include the following:
Privilege escalation
Unauthorized use of admin accounts
Creation of new accounts with elevated privileges
• To monitor and detect unauthorized privileges, consider implementing the following
approaches:
Regularly review user accounts and permissions
Implement the principle of least privilege
Monitor account activity
Use security tools and solutions
Enable logging and auditing
 Data Exfiltration
• Data exfiltration refers to the unauthorized transfer of sensitive information from a
compromised system to an external location, typically controlled by an attacker.
• Some common indicators of data exfiltration include the following:
Unusual data transfer patterns
Connections to known malicious domains or IP addresses
Compression or encryption of data
Unusual file access patterns
• Data exfiltration monitoring and detection strategies can include the following:
Establish data loss prevention (DLP) policies
Monitor network traffic
Implement intrusion detection and prevention systems(IDPSs)
Train employees on social engineering tactics
Restrict outbound connections
 Registry Change or Anomaly
• Some common indicators of compromise related to registry changes or anomalies
include the following:
Unexpected registry key modifications
Unusual startup entries
Changes to security settings
Hidden registry keys or values
• Strategies for monitoring and detecting registry changes or anomalies may include the
following:
Regularly audit critical registry locations
Use security software with registry monitoring capabilities
Implement strict access controls
Perform regular system backups
 Unauthorized Scheduled Task
• Unauthorized scheduled tasks are a common technique used by attackers to maintain
persistence, execute malware, and perform other malicious activities within a
compromised system.
• In Windows, scheduled tasks are managed through the Task Scheduler.
• On Linux systems, scheduled tasks are often managed using cron jobs, the at
command, and anacron.
• On macOS, scheduled tasks are managed through various methods, such as
LaunchAgents, LaunchDaemons, Login Items, and kernel extensions (kexts).
 4.3 Application-Related Indicators
• Here are some common application-related indicators that are essential to consider:
Unauthorized application modifications
Malicious plug-ins or extensions
Privilege escalation
• Some of the most frequently exploited applications include, but are not limited to:
Microsoft Office suite
Adobe Acrobat Reader
Web browsers
E-mail clients
 Anomalous Activity
Here are a few examples of anomalous activity related to these applications.
• Microsoft Office:
Unusual macro activity
Unexpected document access
• Adobe Acrobat:
Suspicious PDF attachments
Unexpected behavior
• PowerShell:
Suspicious scripts
Unusual command-line arguments
• Web browsers:
Unusual browser extensions or plug-ins
Unexpected network connections
 Introduction of New Accounts
• Monitoring for the introduction of new accounts, especially local and domain admin
accounts, as well as service accounts, should be a priority for security analysts.
• The following strategies can help detect unauthorized account creation:
Regularly review user account lists
Implement user account management policies
Enable logging and auditing
Implement least privilege principles
Monitor for suspicious activity
 Unexpected Output
To monitor and detect unexpected output, consider implementing the following
strategies:
• Educate users about the dangers of pop-ups and instruct them to report any
suspicious or unexpected occurrences.
• Use an application approval list to prevent unauthorized or unknown applications from
running on your systems.
• Implement endpoint detection and response (EDR) solutions to identify and remediate
unexpected output or anomalies in real time.
• Regularly review system and application logs to identify unusual patterns or
discrepancies in output.
 Unexpected Outbound
•
Communication
Common tools and techniques used to initiate unexpected outbound communication
include: BITS admin, CertUtil, PowerShell and mshta.
• Other examples of unexpected outbound communication include the following:
Unusual DNS requests
Uncommon ports or protocols
Data transfers to unfamiliar IP addresses
Encrypted traffic
• The fact that an application suddenly starts making unusual outbound connections,
absent any other evidence, is not necessarily malicious. During exam simulations, for
example, look for indicators of new (authorized) installations or software updates to
assess benign behavior.
 Service Interruption
• Service interruption occurs when a system or application becomes unresponsive or
fails to function as intended, leading to potential service downtime or loss of
functionality.
• In some cases, attackers may force services to reload or restart as a tactic to gain
control over a system or to bypass security controls.
• Here are a few examples to detect and respond to service interruptions:
Monitor system and application logs
Use performance monitoring tools
Implement intrusion detection and prevention systems
Regularly update and patch systems and applications
Conduct regular vulnerability assessments and penetration testing
 Memory Overflows
• A memory overflow occurs when a program writes more data to a memory buffer than
it can hold, causing the extra data to overwrite adjacent memory locations.
• Common indicators of this type of attacks include application crashes and increased
system resource consumption from processes.
• Mitigation techniques associated with memory overflow attacks include the following:
Use secure coding practices
Conduct regular security testing
Perform regular security updates
Use runtime protection
Use sandboxes
Implement intrusion detection and prevention systems (IDPSs) and EDR
solutions.
 Application Logs
• Analyzing application and OS logs can provide insights into user activity, system
performance, and system events, allowing security teams to quickly detect and
respond to potential security incidents.
• Application and OS activities to monitor include:
Unusual login attempts or failed authentication
Abnormal user activity
Unusual application crashes or errors
Unexplained application errors or warnings
High resource consumption
Suspicious network activity
 4.4 Social Engineering
• Social engineering attacks rely on manipulating human psychology to trick individuals
into divulging sensitive information or performing actions that can compromise their
security.
• Here are some common indicators of social engineering attacks:
Here are some common indicators of social engineering attacks:
Urgency or pressure
Suspicious links or attachments
Requests for personal information
• Social engineering mitigation strategies:
Employee training
Policy enforcement
Security awareness
 4.5 Obfuscated Links
• Obfuscated links are links that have been modified or disguised to hide their true
destination or purpose.
• Here are some common indicators of obfuscated links:
Suspicious or unusual content
Unexpected or unusual sources
Mismatched destinations
• To mitigate the risks associated with obfuscated links, consider implementing the
following:
URL filtering
Employee training
Link verification
Antivirus software