Threat hunting: MD5 hash IoCs

  • Home
  • Threat hunting: MD5 hash IoCs

Threat hunting is the process of searching your network for known malicious actors with the help of threat intelligence feeds. Threat intelligence feeds provide structured and contextual information about malicious IPs, domains, URLs, hashes, Indicators of Compromise (IoCs), Indicators of Attack (IoAs), and Tactics, Techniques, and Procedures (TTPs) of attackers.

How to identify malicious files using MD5 hashes?

When your system falls a victim to a malware attack, multiple malicious files can be installed on your system. These files masquerade their existence and execute undesirable procedures in your systems until they are discovered.

Such files can be located at certain directories that make them look legitimate, such as a temp file in C:\Users\{User_name}\AppData\Local. These malware files can track user activities, record keyboard strokes and system screens to obtain sensitive and valuable information.

If you suspect the existence of malicious files in your system, you can simply compare the MD5 hash values of suspected files with a list of malicious MD5 hash values provided by a reliable threat intelligence feed.

Threat intelligence feeds provide vital information about malicious MD5 hash such as:

  • Processes executed by such malicious files
  • C2 servers and IP addresses the files are associated with
  • Type of attack carried out by these files

All the above information can help IT security teams obtain an overview of the targeted attack.

How to look for IoCs corresponding to a malicious MD5 hash in your network?

Once you identify files with malicious MD5 hash values, you have to analyze your network logs to discover all the activities carried out by these files. Your network logs can give you information about the following:

  • Where the files were initially created
  • Ports accessed by the files for communication
  • Number of times the files were executed
  • First and last execution time

The above information can help IT security teams to ascertain the overall damage caused by these files in your network. Manually searching for these IoCs in your network can be tedious. You may not be able to identify and terminate all processes initiated by these files just in time to prevent an attack. You can use a security information and event management (SIEM) solution that can accurately identify IoCs and correlate all activities happening across your network to provide you insights about an incident or attack.

Log360 is a SIEM solution that can collect, parse and correlate logs from all network devices. It analyzes the logs and provides comprehensive and intuitive reports about all network activities. It can identify malicious IPs communicating with your network with the help of threat intelligence feeds sourced from trusted platforms like STIX, TAXII, and AlienVault OTX. Log360 can spot deviant and anomalous activities in your network and raise real time alerts to notify IT security admins via SMS and email of a targeted attack.

Check out Log360's features to see how it can help you stay ahead of cyber attackers.

Products mentioned on this page:

Recently added chapters

     
 

Get the latest content delivered
right to your inbox!

 

Cyber Security - Knowledge Base

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.