FIRST Conference: N-IOCs to Rule Them All

Table of Contents

Abstract

The Swiss GovCERT published monthly statistics on the most common malware families in Switzerland. Much of the published analysis on these malware families focused on the malware’s reverse engineering rather than the forensic artifacts that a successful infection leaves on a host.In our research, we examined the top malware families from a forensic perspective to find commonalities in infection, data collection, and network transmission. Through the data obtained through our research, we were able to identify targeted IOC (Indicators of Compromise) that can be used for all malware families (for example, run keys, executables in the AppData folder, specific event logs). This abstraction or generalization of malware families allows SOC analysts, incident responders, and threat hunters to search for malicious behavior on the network more precisely and quickly without focusing on just one malware family.

Source: FIRST

N-IOCs to Rule Them All

Figure 1: N-IOCs to Rule Them All

Youtube Video

N-IOCs to Rule Them All