Tuesday, April 29, 2025
HomePoCIndicator Of Attack(IoA's) And Activities - SOC/SIEM - A Detailed Explanation

Indicator Of Attack(IoA’s) And Activities – SOC/SIEM – A Detailed Explanation

Published on

SIEM as a Service

Follow Us on Google News

What is an Indicator of Attack (IOA)

IoAs is some events that could reveal an active attack before indicators of compromise become visible.

The use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOA’s focus is on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploits used in an attack.

- Advertisement - Google News

Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach

10 Indicators of Attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose an active attack:

1) Internal hosts with bad destinations

Internal hosts communicate with known bad destinations or to a foreign country where you don’t conduct business.

Example of HP ArcSight Dashboard that shows client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.

[Ransomware Hunter is available as free a free package included at HPE Protect724 from SOC Prime]

Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicate with external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, and HTTPS traffic over port 80,443, the default web port.

Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicate with internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, and SSH.

Example of a Report that monitors Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating with Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.

Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker moving laterally within the network.

These incidents detect from Perimeter network defenses such as firewalls and IPS. You must choose Zone/Interface from “Internal” to “Internal” only.

For the Future, you should focus from “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)

Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.

Example Dashboard that monitors “User Login Failures” from Single Hosts

Note: some login failed events from e-mail applications on mobile phones can generate events more than 500 events/minute.

I found this case when the password of a user account is expired but they have not changed the new password on their devices.

7) The system is reinfected with malware

After the Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti Virus events.

This is an Example Maleware Dashboard.

Detection: You must create at least 3 rules on SIEM and follow them as

  1. The rule alert when it found an infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
  2. The rule alert when malware is cleaned from the infected Host then “Remove To” Current Infected Hosts List
  3. The rule alert when it found an infected host that is “Historical Infected Hosts List” within a specific time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to log in to multiple resources within a few minutes from/to a different region.

This is a sign that the user’s credentials have been stolen or that a user is up to mischief.

An example of a Correlated rule is that Ideal solutions may vary based on your network conditions and security policy.

This rule detects an event in the “Login” normalization category, with an Event Outcome equal to “Success” with multiple Source Geo-locations, within a specified Time Range, and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocols such as SMTP (Simple Mail Transfer Protocol), POP3, or IMAP4 should be monitored. Some malware will use this port to send information to a Suspicious or Hacker’s server.

Example of an Infected client that uses SMTP(TCP/25)

10. Internal hosts many queries to External/Internal DNS

Many organization has Internal DNS servers for caching records and serving DNS service to internal hosts. DHCP configuration is defined as Primary DNS Server to the Internal DNS server.

If you found that some internal hosts query to External DNS such as 8.8.8.8, and 8.8.4.4 (Google DNS), you should try scanning malware on that clients.

In some Incidents found that the internal host queries many requests to the internal DNS server (> 1,000 events/hour)

Original Source & Credit:  Sittikorn Sangrattanapitak, CISSP

Also Read:

  1. Intrusion Prevention System(IPS) and Its Detailed Function – SOC/SIEM
  2. Intrusion Detection System (IDS) and Its detailed Function – SOC/SIEM 
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare...

Europol Launches Taskforce to Combat Violence-as-a-Service Networks

Europol has announced the launch of a powerful new Operational Taskforce (OTF), codenamed GRIMM, to...

JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

Law enforcement agencies from the UK and the Netherlands have dismantled the notorious JokerOTP...

Windows Server 2025 Gets Hotpatching Support Beginning July 1, 2025

Microsoft announced that hotpatching support for Windows Server 2025 will become generally available as...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PoC Released for Linux Kernel Vulnerability Allowing Privilege Escalation

A security vulnerability, tracked as CVE-2024-53141, has recently come to light in the Linux kernel's...

PoC Released for Critical Erlang/OTP SSH RCE Vulnerability

Security teams across industries are urgently patching systems following the public release of a...

Kaspersky Shares 12 Essential Tips for Messaging App Security and Privacy

In an era where instant messaging apps like WhatsApp, Telegram, Signal, iMessage, Viber, and...