Lesson 13: Analyze Indicators of Malicious Activity

Malware Attack Indicators

Viruses vs Worms:

• Viruses: Attach to legitimate programs/files, require user interaction, spread via file sharing/email/USB
• Worms: Self-replicating, no host file needed, no user action required, exploit network vulnerabilities, consume bandwidth

Trojans vs PUPs/PUAs:

• Trojans: Malicious programs disguised as legitimate apps, open backdoors, install keyloggers/RATs, intentionally malicious
• PUPs/PUAs (Potentially Unwanted Programs): Installed without clear consent, adware/bloatware, degrade performance, not clearly malicious

Fileless Malware:

• Operates entirely in memory (no files written to disk)
• Uses legitimate tools (PowerShell, WMI)
• Maintains persistence through registry/scheduled tasks
• Difficult to detect with traditional antivirus, requires behavioral analysis

Ransomware vs Crypto-Malware:

• Ransomware: Encrypts data or locks systems, demands ransom, disruptive, high visibility
• Crypto-Malware (Cryptojacking): Hijacks resources to mine cryptocurrency, stealthy, runs in background, performance degradation

Rootkits:

• Gains and maintains privileged access (root/SYSTEM)
• Replaces core system files, hides processes, purges logs
• May reside in firmware or drivers
• Requires specialized detection tools (boot-time scanners, kernel-level analysis)

Backdoors and RATs:

• Backdoors: Provide unauthorized access, may be intentional or inserted by malware
• RATs (Remote Access Trojans): Full remote control (screen viewing, file access, remote shell), type of Trojan

Indicators of Compromise (IoCs):

• Unusual outbound traffic
• New unknown processes or services
• High CPU usage
• Altered or missing logs
• Unexpected login attempts

Physical and Network Attack Indicators

Physical Attacks:

• Brute Force Entry: Breaking into server rooms
• Environmental Damage: Tampering with HVAC or power
• RFID Cloning: Copying proximity-based access cards
• Skimming: Capturing data from card readers

DDoS Attacks:

Overwhelming target with traffic from multiple systems (botnets)

Types:

• SYN Flood: Exploits TCP handshake to consume resources
• Reflected: Uses third-party servers to flood target with replies
• Amplified: Uses protocols (DNS/NTP/SNMP) to multiply traffic size

On-Path (Man-in-the-Middle) Attacks:

Attacker intercepts communication between two parties

Methods:

• ARP Poisoning: Spoofs MAC addresses in LAN
• DNS Spoofing: Redirects users to malicious websites

Mitigations: Encryption (TLS), static ARP tables, DNSSEC

Wireless Attacks:

• Evil Twin: Fake AP mimics real one to collect credentials
• Rogue AP: Unauthorized AP used to gain network access
• Deauthentication Attack: Forces users off legitimate Wi-Fi

Credential Attacks:

• Brute Force: Try all possible password combinations (single account, many passwords)
• Password Spraying: One password against many accounts
• Pass-the-Hash: Uses NTLM hash instead of password (Windows systems)
• Pass-the-Ticket: Uses stolen Kerberos ticket (Kerberos environments)

Cryptographic Attacks:

• Downgrade: Forces systems to use older, weaker encryption
• Collision: Two different inputs produce same hash
• Birthday Attack: Probability-based collision attack
• Weak Cipher Exploits: Attacks on older algorithms (RC4, MD5)

Mitigations: Use TLS 1.3, SHA-256 or better, enforce forward secrecy

Application Attack Indicators

Privilege Escalation:

• Vertical: User gains higher privileges (becomes admin)
• Horizontal: User gains access to another user's data

Replay Attacks:

Capturing and reusing valid authentication data (tokens/cookies) to gain unauthorized access

Forgery Attacks:

• CSRF (Cross-Site Request Forgery): Tricks user's browser into executing unwanted actions on authenticated sites
• SSRF (Server-Side Request Forgery): Forces vulnerable server to send requests to internal systems or cloud metadata

Injection Attacks:

Malicious code injected into application's input stream

Types:

• SQL Injection: Alters SQL queries
• LDAP Injection: Alters directory service queries
• XML External Entity (XXE): Exploits XML parsers to access files
• Command Injection: Executes OS commands

Directory Traversal vs Command Injection:

• Directory Traversal: Access unauthorized files using patterns (../../../etc/passwd)
• Command Injection: Executes shell commands via input fields