1

Host IOC Overview

A host-related IOC is a sign that a workstation, laptop, or server has been attacked or is currently under attack. Unlike network IOCs that are observed on the wire, host IOCs are observed directly on the endpoint — in running processes, memory, file system artifacts, registry entries, and system logs.

Malicious processes
Unauthorised processes running on the host, or legitimate processes corrupted with injected malicious code (DLL injection, shared object injection).
Memory forensics
Fileless malware that exists only in RAM, never writing to disk. Requires memory dump analysis — file system scanning alone will miss it.
Resource consumption
Anomalous CPU or memory usage by a process, indicating possible exploitation, crypto mining, or denial-of-service conditions.
Disk / file system
Staging areas with compressed/encrypted data awaiting exfiltration. Alternate data streams hiding files. Unexplained capacity consumption.
Unauthorised privilege
Privilege escalation attempts, failed logons, new accounts, guest account usage, off-hours activity.
Persistence
Registry Run/RunOnce keys, malicious scheduled tasks (Windows Task Scheduler / Linux crontab) ensuring malware survives reboots.
The baseline rule: All host IOC analysis starts with knowing what normal looks like. Build a clean baseline image of a healthy system — every process, every registry key, every scheduled task, every resource usage pattern. Deviations from that baseline are where you focus your investigation.
2

Malicious Processes — Windows & Linux Analysis

A malicious process is a process executed without proper authorisation for the purpose of damaging or compromising the system. On Windows, malware commonly injects itself into legitimate processes via Dynamic Link Libraries (DLLs). On Linux, the equivalent target is Shared Object (.so) files. In both cases, the goal is to hide malicious code inside a trusted process so that it's harder to spot.

Abnormal process behaviour — what to look for

Registry modification
Process writes to registry keys it has no business modifying — particularly Run/RunOnce keys (persistence) or service keys.
Temp directory access
Process creates or reads files in temporary directories (C:\Temp, %AppData%\Local\Temp). Legitimate software rarely stores critical data here.
Unauthorised network activity
Process makes outbound connections to unknown IPs or unusual ports. Beaconing, C2 signalling, or covert channel use from a process that normally has no network activity.
Unknown DNS resolver
Process resolves names through an unexpected DNS server — possible DNS tunnelling or C2 communication via DNS.

Windows process analysis tools

SFC (System File Checker)
Built-in Windows tool (sfc /scannow) that validates all protected OS files using digital signatures. Detects modified or corrupted system files — first check if you suspect DLL tampering.
Process Explorer
Sysinternals tool. Shows the full process tree with parent-child relationships, DLLs loaded by each process, CPU/memory per process, and allows VirusTotal hash lookup of any executable.
Process Monitor
Sysinternals tool. Logs in real-time every file system, registry, and network operation performed by every process. Essential for dynamic malware behaviour analysis.
Tasklist
Command-line task manager (tasklist /v). Shows memory usage, thread state, and process trees. Scriptable — useful for automated baselining and comparison.
PE Explorer
Proprietary tool that browses the internal structure of Windows PE (Portable Executable) files. Shows which DLLs a suspicious executable imports — a quick way to identify its capabilities.

Linux process analysis — daemons, PIDs, and pstree

Linux processes operate differently from Windows. Key concepts before looking at tools:

Daemon
A background service in Linux, named with a trailing 'd' (httpd, sshd, ftpd). Runs continuously without user interaction.
systemd (PID 1)
The init daemon — always PID 1. The first process launched by the kernel at boot. All other processes are descendants. If something claims to be PID 1 and isn't systemd/init, that's an immediate red flag.
PID
Process ID — the unique numeric identifier for a running process. Used to identify, monitor, and if necessary, kill a process.
Parent PID (PPID)
Every process has a parent — the process that launched it. Unexpected parent-child relationships (e.g. Word.exe spawning cmd.exe) are strong IOCs.
Linux process analysis commands
# pstree — show parent/child process hierarchy
$ pstree -p
systemd(1)─┬─ModemManager(936)──gdbus(936)
            ├─NetworkManager(928)──gdbus(928)
            └─suspiciousd(4112)
↑ unknown daemon — investigate immediately

# ps -A — list all running processes for all users
$ ps -A
PID TTY TIME CMD
1 ? 00:00:02 systemd
43 ? 00:00:00 syslogd
4112 ? 02:34:15 suspiciousd ← long runtime, unknown process

# ps -C — search for a specific command
$ ps -C cron ← show only cron processes

# ps -A piped to sort by column 3 (execution time)
$ ps -A | sort -k3 ← find longest-running processes
3

Windows Process Legitimacy Reference (signature element)

Malware commonly masquerades as legitimate Windows processes or injects into them. Knowing the expected properties of each critical system process — its normal path, its expected parent, and typical PID range — allows you to spot impersonation and injection immediately. A process with the right name but the wrong parent or the wrong path is a major IOC.

Process Expected PID Expected parent Normal path Red flags
System 4 None (kernel) kernel PID ≠ 4; parent process present; multiple instances
smss.exe < 1000 System (PID 4) %SystemRoot%\System32\ Parent ≠ System; multiple instances beyond first child; running from wrong path
csrss.exe varies smss.exe %SystemRoot%\System32\ Parent ≠ smss.exe; missing from process list (system will crash); running from wrong directory
wininit.exe one instance smss.exe %SystemRoot%\System32\ Multiple instances; wrong parent; visible window (legitimate wininit runs with no UI)
services.exe one instance wininit.exe %SystemRoot%\System32\ Multiple instances; parent ≠ wininit.exe; launched from unusual directory
lsass.exe one instance wininit.exe %SystemRoot%\System32\ Multiple instances; parent ≠ wininit; wrong path — mimicry (lsass vs. lsass, lass, svchost masquerade) is a major Mimikatz indicator
winlogon.exe one per session smss.exe %SystemRoot%\System32\ Wrong parent; multiple instances for same session; unusual child processes spawned from it
userinit.exe brief — exits quickly winlogon.exe %SystemRoot%\System32\ Still running after logon complete (should exit quickly); running from wrong path
explorer.exe one per user session userinit.exe %SystemRoot%\ Multiple instances without multiple user sessions; running from System32 instead of Windows root; unusual child processes (cmd, PowerShell, mshta)
lsass.exe is the prime mimicry target: The Local Security Authority Subsystem Service handles authentication, password changes, and access tokens. Attackers (especially Mimikatz users for credential dumping) target it directly and name malware similarly. One instance only, parent must be wininit.exe, path must be System32. Any deviation is a critical IOC.
4

Memory Forensics — Fileless Malware & Volatility

Fileless malware executes entirely from memory without writing files to disk. If it does write to disk, it deletes those files immediately. Because traditional antivirus and file system scanning looks for files, fileless malware can evade detection entirely — only memory analysis reveals it.

What fileless malware does
Injects shellcode into a running legitimate process. Uses PowerShell, WMI, or other built-in OS tools (living off the land). Never writes a persistent binary to disk. Survives only until the machine is rebooted or the process ends.
Why it's hard to detect
File system scanners find nothing. Standard AV misses it. Hash-based detection doesn't apply because there's no file to hash. Only memory analysis and behavioural monitoring can reveal it.

What memory analysis can reveal

Running processes
All processes in memory at dump time — including malware that was running but has since been deleted from disk.
File handles
Every file opened by every process. Reveals what files a suspicious process was reading, writing, or exfiltrating.
Network connections
Active and recently closed connections — including C2 callouts that won't appear in persistent logs.
Registry interactions
Keys being read or written by a process — reveals persistence mechanisms being established in real-time.
Cryptographic keys
Encryption keys for full-disk encryption in memory while the system is running — unavailable after shutdown.
Strings / communication
Strings written by applications (Skype messages, browser sessions, command history) stored as pointers in memory — can reconstruct activity.

Volatility Framework — memory analysis in practice

Volatility framework — three-step investigation workflow
# STEP 1: List all running processes (pslist module)
$ volatility -f memory.dmp --profile=Win7SP1x64 pslist

Offset Name PID PPID Threads Handles Started
0x... System 4 0 85 459 —
0x... lsass.exe 600 380 7 647 2021-01-01
0x... explorer.exe 1432 ... 32 877 2021-01-01
0x... salter.exe 1808 ... 5 134 2021-01-01 ← SUSPICIOUS — not a known process

# STEP 2: Check file handles for suspicious PID 1808
$ volatility -f memory.dmp --profile=Win7SP1x64 handles -p 1808 -t File

PID Offset Type Details
1808 0x... File 9781642741292.pdf ← random numeric filename = IOC (C2 unique ID?)

# STEP 3: Check network activity for PID 1808
$ volatility -f memory.dmp --profile=Win7SP1x64 netscan

Offset Proto Local Foreign State PID
0x... TCP 10.1.0.101:1095 192.168.2.192:80 ESTAB 1808
↑ local victim ↑ external unknown host ← salter.exe beaconing out over port 80

Memory forensics tools

Volatility Framework
Open-source command-line memory forensics tool with modules for processes (pslist), file handles, network connections, registry, command history, browser history, and more. Works with Windows, Linux, and macOS memory dumps.
Memoryze (FireEye)
Free memory forensic tool by Mandiant/FireEye. Designed for incident responders finding "evil in live memory." Cleaner interface than Volatility. Can acquire live memory and analyse for IOCs.
FTK / EnCase
Both commercial forensic suites include memory analysis modules for collecting and analysing memory images alongside disk evidence — integrated into the case management workflow.
Exam scope: Know what memory forensics reveals and why fileless malware requires it. Know Volatility framework and Memoryze by name and purpose. You do not need to know specific Volatility command syntax — but understanding the pslist → handles → netscan investigation workflow is useful for scenario questions.
5

Resource Consumption — CPU, Memory & Overflow

Anomalous resource usage is an IOC — but only compared against a known baseline. High CPU usage from a video encoder is expected; high CPU from a database process at 3 AM when no one is online is suspicious. Always correlate resource anomalies with process identity, timing, and network activity before drawing conclusions.

Windows — Task Manager
📊 Sorts processes by CPU, memory, disk, or network
🔍 Per-process granularity — click on a category header to rank
⚠️ Multiple sub-processes under one app — investigate the highest outlier
e.g. Vivaldi showing 3 processes: 1.3 MB, 15.2 MB, 155.6 MB → investigate the 155.6 MB instance first
Linux — free, top, htop
free — shows total / used / available RAM and swap
top — scrollable live process table with CPU % and MEM %; sortable by column
htop — enhanced top with colour, mouse support, visual graphs, F6 sort-by function
Sort by memory to identify the process consuming the most — then investigate that PID

Memory overflow and NOP sled attacks

Attackers deliberately cause memory overflows to crash processes or gain code execution. A buffer overflow overwrites adjacent memory with attacker-controlled content — typically a NOP sled followed by shell code.

NOP sled
Buffer overflow execution technique
A long sequence of NOP (No Operation) instructions placed before shell code. The attacker needs to land anywhere in the NOP region — execution slides down the NOPs until it reaches the shell code, which runs the exploit. Makes the attack tolerant of imprecise memory targeting.
Detection approach
Run suspect code in a sandbox debugging environment. Observe memory behaviour — NOP sleds produce a distinctive signature pattern. Once identified, create a signature for the IDS to detect future variants. Memory overflow → process or system crash → denial of service condition.
6

Disk & File System IOCs — Staging, ADS & Prefetch

Data staging areas

Before exfiltrating data, attackers collect and compress/encrypt it into a staging area — often a temporary folder, user profile location, or the recycle bin. The staging area acts as a holding location until the attacker is ready to transmit.

Temp directories
C:\Temp, %AppData%\Local\Temp, /tmp on Linux. Frequently used because most users and processes have write access.
User profile locations
AppData, Documents, Downloads. Attackers stage here because these directories are rarely monitored closely.
Data masked as logs
Compressed or encrypted files renamed with .log or other innocuous extensions to avoid attracting attention.
Recycle bin
Files placed in the recycle bin are still on the disk but invisible to most scanning tools — a common hiding place.
Staging IOC: Compressed or encrypted files appearing in unusual directories — especially if the user and process have no normal reason to create them — are a strong staging indicator. Disk capacity suddenly dropping on an asset that normally has ample free space is another signal that data is being aggregated for exfiltration.

Alternate Data Streams (ADS)

NTFS (the Windows file system) supports multiple data streams per file. The default stream is what you see in Explorer. An Alternate Data Stream is a hidden additional stream that doesn't appear in normal directory listings, has no size shown, and can store any content — including executables. Attackers use ADS to hide tools and data in plain sight.

Windows dir commands for file system IOC analysis
# Show hidden files and folders
C:\> dir /AH ← /AH = attribute Hidden
C:\> dir /AS ← /AS = attribute System (protected OS files)

# Show file ownership (who owns each file)
C:\> dir /Q ← if ownership is SYSTEM instead of expected user = suspicious

# Show ALL alternate data streams for files in current directory
C:\> dir /R
Directory listing:
0 ... ← file with 0 bytes visible but contains ADS!
412 ...:Sampleabc.txt:$DATA ← alternate data stream hiding 412 bytes

# Linux equivalents for disk space analysis
$ df -h ← disk free: all mounted file systems
$ du /var/log -sh ← disk usage: specific directory
$ lsof -u root -a -p 1645 ← list all files open by user root in process 1645

Application artefact caches — prefetch, shimcache, amcache

Prefetch files
Windows records which applications have been run, along with the date/time, file path, run count, and DLLs used. Located in C:\Windows\Prefetch\. Even if malware deletes itself, the prefetch file records that it ran.
Shimcache
Application compatibility cache stored as a registry key (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache). Records every executable that ran on the system. Valuable for timeline reconstruction.
Amcache
Application usage cache stored as a hive file at C:\Windows\appcompat\Programs\Amcache.hve. Stores hash values of executables — even deleted ones. A goldmine for finding what ran on the system. Cannot be opened by regedit — requires a forensic tool (EnCase, FTK, Registry Explorer).
7

Unauthorized Privilege — Escalation & Detection

Privilege escalation is the exploitation of vulnerabilities in an OS or application to gain a higher level of access than was intended. An attacker who initially compromises a regular user account through phishing will typically escalate to Administrator (Windows) or root (Linux) to achieve their actual objectives.

Five privilege escalation IOCs to monitor

Unauthorized sessions
Account accessing resources outside its assigned scope. HR account connecting to accounting systems. User account accessing server infrastructure it has no business reason to reach.
Failed logons
Single failure = probably typo. Repeated failures with rotating usernames = password spray. Same username, many passwords = brute force. Windows Event ID 4625.
New accounts
Attacker with admin access creates a new administrator account for persistent access. Audit your accounts regularly — any account not created through your HR/IT process should be investigated.
Guest account usage
Guest accounts enable unauthenticated footprinting of the network — an attacker can enumerate hosts, services, and software without credentials. Guest accounts should be disabled if not needed.
Off-hours usage
Activity outside business hours (9–5 Mon–Fri) with no business justification. Attackers often work at night to avoid detection. User logged in at 2 AM when they're in a different time zone? Investigate.

Detection tools for privilege and policy

Microsoft Policy Analyzer
Compares current security policy configuration against a known-good baseline. Identifies any settings that have drifted from the approved configuration — potential indicator of policy tampering.
AccessChk / AccessEnum
Sysinternals tools. Audit current privileges applied to files, directories, registry keys, and services. Verify that the right permissions are still in place and haven't been modified by an attacker.
8

Unauthorized Software & Hardware

Unauthorized software ranges from obvious malware (virus, worm, Trojan) to subtle attack tools (Netcat, Nmap, Wireshark installed without authorisation) to legitimate software that violates policy (Adobe Acrobat installed by a user who didn't go through the change control process). All are IOCs — they indicate that the host's expected configuration has changed.

Malware
Worms, viruses, Trojans, ransomware, RATs. The most obvious IOC — an AV alert or SIEM rule fires immediately. Investigate what the malware does and how it got there.
Attack tools
Netcat, Nmap, Wireshark, Mimikatz, Metasploit modules found on a workstation that has no security research justification. Could be an attacker's toolkit left behind — or a legitimate tool used without authorisation.
Unauthorised legit software
User installed a licensed application themselves. This is a policy violation — introduces unmanaged vulnerabilities (unpatched software, unlicensed use) even if the software itself is benign.
Unauthorised services
Apache web server installed on a workstation. MySQL database running where it shouldn't. Every additional service is additional attack surface. Services must go through change management.
Modified system files
Host file modified to redirect domains to attacker-controlled IPs. Windows checks the host file before querying DNS — a modified host file can silently intercept all web traffic. Check with SFC or FIM.

Unauthorized hardware — the USB threat

A USB device is one of the most dangerous physical infection vectors. Modern USB firmware can be reprogrammed to make a thumb drive report as a Human Interface Device (HID) — effectively a keyboard — so that when plugged in, it sends malicious keystrokes to the OS rather than appearing as a removable storage device. This bypasses policies that block USB mass storage.

Best practice: In high-security environments, ban all USB devices at the physical and policy level. Where USB must be allowed, use a sandboxed analysis machine to scan and verify each device before connecting it to the network. A USB thumb drive that appears in an unauthorised port should trigger an immediate security response.
9

Persistence — Registry & Scheduled Tasks

Persistence is the ability of a threat actor to maintain covert access to a target host or network across reboots and logoffs. Without persistence, malware is defeated by a simple restart. Attackers establish persistence through two primary mechanisms: registry autorun keys and scheduled tasks.

Registry autorun keys — primary persistence mechanism

The Run and RunOnce registry keys instruct Windows to launch specified programs at login or startup. Malware places its executable path here to survive reboots. The key distinction: Run executes values asynchronously (any order, every time); RunOnce executes values in order, once, then deletes the entry.

⊞ Windows Registry — autorun persistence keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System-wide startup (all users). Attacker favourite — persists across all user logons.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
System-wide, one-time execution then auto-deletes. Used for staged payload delivery.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Current user only. Lower privilege needed — easier for user-level malware to set.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Current user, one-time. Same as above but clears after first run.
HKLM\SYSTEM\CurrentControlSet\Services
Service registration. Malware installed as a service will appear here — survives reboots as a system service.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Most recently used files/executables — forensic artefact showing what was recently run.
HKCR\, HKLM\SOFTWARE\Classes\, HKCU\SOFTWARE\Classes\
File extension associations. Malware can hijack .exe/.bat/.com/.cmd execution by modifying these — running any executable launches the malware first.
Registry analysis tools: Don't use regedit for forensic analysis — it doesn't show last-modification timestamps. Use regdump (dumps registry to searchable text file) or dedicated forensic tools. A known-good baseline of the registry lets you instantly spot any added or modified keys.

Scheduled tasks — secondary persistence mechanism

Windows Task Scheduler
GUI: taskschd.msc — shows all tasks and full run history per task
Any task without a known legitimate purpose should be investigated
Task history shows exact run times — useful for timeline reconstruction
Malware can install itself as a service appearing in Task Scheduler
Command line: schtasks /query /fo LIST /v to list all tasks verbosely
Linux crontab
crontab -l — list current user's scheduled cron jobs
crontab -l -u root — list root's cron jobs (requires sudo)
Also check /etc/cron.d/, /etc/cron.daily/, /var/spool/cron/
Any cron job running as root that can't be attributed to a known admin task is an IOC
Exam essentials for persistence: Two mechanisms — registry and scheduled tasks. Registry: Run = async, every boot; RunOnce = ordered, once then deletes. Linux equivalent = crontab. Know the four Run/RunOnce key paths (HKLM + HKCU for each). Know that HKLM\SYSTEM\CurrentControlSet\Services is where service-based persistence lives.

Exam

Quick Reference Cheat Sheet

Malicious process signs
Unexpected registry writes. Files in temp directories. Outbound connections from normally non-networked processes. Unknown DNS resolvers. Windows: DLL injection. Linux: .so shared object injection. Always compare against a clean baseline.
Windows process tools
SFC = scan OS files for integrity. Process Explorer = full process tree + DLLs loaded + VirusTotal lookup. Process Monitor = real-time file/registry/network per process. Tasklist = CLI task manager. PE Explorer = inspect PE executable structure.
Linux process tools
systemd = PID 1 always. pstree = parent/child hierarchy. ps -A = all processes all users. ps -C [cmd] = find specific command. ps -A | sort -k3 = sort by runtime. Daemons end in 'd'. Malware injects into .so files.
Key process red flags
lsass.exe: one instance, parent = wininit.exe, path = System32. System: PID = 4, no parent. explorer.exe: parent = userinit.exe, one per session. Any process with wrong parent, wrong path, or wrong instance count = investigate immediately.
Memory forensics
Fileless malware = executes from RAM, no file on disk. Reveals: processes, file handles, network connections, registry, crypto keys, strings. Tools: Volatility (pslist → handles → netscan workflow), Memoryze, FTK/EnCase memory modules.
Resource consumption
Windows: Task Manager (CPU/memory per process). Linux: free (RAM summary), top (live process table), htop (coloured + mouse + graphs). Compare against baseline — anomaly without justification = investigate. Buffer overflow → NOP sled → shell code → DoS or code execution.
Disk / file IOCs
Staging: compressed/encrypted files in temp, AppData, recycle bin. ADS: NTFS hidden streams — dir /R reveals them. Capacity spike = data aggregation. dir /AH = hidden files, /Q = ownership, /R = ADS. Linux: lsof, df, du. Shimcache + Amcache = execution artefacts.
Privilege escalation IOCs
Unauthorized sessions (HR accessing accounting). Failed logons (brute force = Event 4625). New accounts (attacker created admin account). Guest account usage (footprinting). Off-hours usage (2 AM login = suspicious). Tools: Policy Analyzer, AccessChk/AccessEnum.
Unauthorized software/hardware
Malware, attack tools (Netcat/Nmap without justification), unlicensed/unapproved apps, unauthorised services (Apache on a workstation), modified host file. USB: can be reprogrammed as HID keyboard — bypasses USB storage bans. Scan all USB in sandbox first.
Persistence
Registry: Run (async, every boot) vs. RunOnce (ordered, once). Keys: HKLM and HKCU \SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Once]. Services: HKLM\SYSTEM\CurrentControlSet\Services. Scheduled tasks: Windows Task Scheduler (schtasks) / Linux crontab -l. Compare against baseline.