SBN

Threat Hunting for File Names as an IoC

Introduction

Just like any good treasure hunt, you need a map or clues to be successful. Threat hunting is no different – Indicators of Compromise (IoC) can be used by threat hunters to track down threats in their environment. File names can be used effectively as IoCs, as they reveal trails of clues that can lead threat hunters to their target. This article will examine the use of file names as an IoC for threat-hunting purposes.

Indicators of Compromise

Indicators of Compromise, or IoCs, are pieces of forensic data artifacts that can act as a proverbial breadcrumb trail leading threat hunters to potential threats in their environments. IoCs can often help organizations spot attacker activity in their environments faster so that they can either prevent a breach from happening or stop the attack early on.

How File Names Can be Used as an IoC

File names can be a gold mine for threat hunters regarding clues to attacker activity. Since the earliest days of malware, file names have been manipulated by attackers to allow them entry to networks that they have no business being in. While threat-hunting tactics and technology have changed since the beginning of malware, file names are still viable IoCs.

File Extensions

File extensions are one of the easiest ways that attackers can use file names to help them launch and manage attacks. It is common knowledge among information security professionals, and well-informed basic users that files found online and in unsolicited emails containing a .exe extension should not be opened. These files are frequently malware, and no one wants to install that.

However, .exe files are one part of the spectrum of file extensions that are used to install malware covertly. Other notable file extensions to look out for include .bat, .cmd, .com, .lnk, .pif, .vb, . (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/dIINYcU1YSo/