Please enable JavaScript.
Coggle requires JavaScript to display documents.
Identifying Malicious Activity - Coggle Diagram
Identifying Malicious Activity
Tools
Packet Capture
:shark: Wireshark
:computer: tcpdump
EDR :arrow_right: security solution
Components
Endpoint Acquisitions Points
Data Analysis Engine
Centralized Security Monitoring Platform
Advantages
detecting malicious activity
improved incident response
proactive prevention
risk assessment
incident investigation
capabilities
malware detection
URL filtering
honeypots
monitoring
orchestration
detect emerging threats
Common Analysis Tools
:mag: Whois
:computer: AbuseIPDB
:computer: strings
:red_flag: VirusTotal
Sandboxing :arrow_right: isolating
features
execute known malware
monitor network sockets
monitor system calls
monitor program instrucions
periodic snapshots
record file creation/deletion
dump memory
monitor system changes
platforms
:man: Joe Sandbox
:bird: Hybrid Analysis (CrowdStrike)
:deciduous_tree: Cuckoo Sandbox
SIEM
capabilities
aggregation
correlation
alerting
visibility
compliance
data retention
SOAR
playbooks
runbook
playbook with high automation
case management
Splunk SOAR
Attack Methodology Frameworks
Kill Chain Concepts
:arrow_right: general process
:one: Reconnaissance
:two: Weaponization
:three: Delivery
:four: Exploitation
:five: Installation
:six: Command & Control
:seven: Actions on Objectives
MITRE ATT&CK
Diamond Model of Intrusion Analysis
OSSTMM
comprehensive guide
Techniques
Email header analysis
Display from
Envelope from
Received from/by
Email malicious contect analysis
malicious payload
exploit
attachment
embedded links
email signature block
malicious attachments
Email server security
SPF
DKIM
DMARC
Cousin Domains
Suspicious commands
reverse shells
netcat listener
bash shells
admin commands e.g. ssh
abnormal activity
abnormal account activity
impossible travel
abnormal patterns
UEBA
