Malware
Types of malware-
1. Virus- Attached itself to a legitimate file and spread when that file runs.
SOC view:
Unknown process spawning
Suspecious file modification
Antivirus alerts
2. Worm- A worm spreads automatically over network, no user action needed.
e.g. Wannacry(Spread using SMB vulnerability)
SOC view:
Sudden network traffic spike
Same payload accross multiple hosts
Lateral scanning behaviour
3 . Trojan- Malware disguised as legitimate software.
e.g. fake free cracked software.exe.
What it does:
Opens backdoor
Steals data
installs additional malware
SOC view:
Unusual outbound traffic
unknown service running
suspecious startup entries
4 . Ransomware- Encrypts victim files and demands ransom payment.
SOC view:
High CPU usage
Mass file renaming
Shadow copy deletion
Unusual encryption activity
5 . Spyware- Secretly collects user information.
What steals :
Password
Banking information
Take Screenshots
Keystrokes (Keyloger)
SOC view:
Strange outbound connections
DNS queries to unknown domains
Data exfilteration alerts
6 . Rootkits- Designed to hide other malware.
Very dangerous because"
Hide processes
Hides files
Hides registry entries
Very difficult to detect
SOC view:
Mismatch between user-mode and kernel-mode results
Integrity check failure
Unusual driver loads
Phishing and Social Engineering
Phishing-
Phishing is a social engineering attack where attackers trick user into:
Revealing credentials
Clicking malicious links
Downloading malware
Tranferring money
Installing remive access tool
It attacks human psychology
not just system.
1 . Email Phishing-
SOC detection:
Email from spoofed domain
Domain looks similiar
Suspecious attachments
URL reddirect chains
(SPF/DKIM/DMARC) failure
2 . Spear Phishing- Targeted phishing against a specific person or organization.
e.g. "Hi, this is the CFO
please transfer $10000 urgently."
This is also called Bussiness email compromise(BEC).
3 . Whaling- Targeting high level execution(CEO,CFO,Directors)
high impact = high reward.
4 . Smishing- Phishing via SMS.
e.g. "your bank account blocked, click here"
5 . Vishing- Voice phishing via phone call.
e.g. "I'm from bank fraud department, tell me your OTP"
Pharming-
When the victim is redirected to a fake website even if they type the correct website address.
Phishing---> user click malicious links.
Pharming---> Redirection happens silently.
Pharming Methods 1 - DNS Poisoning
Attacker Compromise: DNS server or Local router
When user types: www.bank.com
DNS returns: Attacker ip address (user land on fake site)
Pharming Method 2 - host file modification
Malware edit --> C:\windows\System32\drivers\etc\hosts
e.g. 192.168.1.200 www.bank.com
now user is redirect locally.
SOC Detection:
Suspecious DNS response
Sudden DNS record change
Internal DNS anomalies
Multiple users resolving same domain to unusual IP
Host file modification alerts
Certificate mismatch errors
Real SOC scenario:
Alert: Multiple users accessing bank.com resolving to goreign IP.
Investigation:
Check DNS logs
Compare with known legitimate IPs
Check for DNS server compromise
Check endpoint for hosts file tempering
Evil twin attack-
An attacker creates a fake wifi access point that looks identical to a legitimate one.
e.g. Real wifi: Cafe_WiFi
Fake wifi: Cafe_WiFi or Cafe_WiFi_Free
users connects unknowingly.
How evil twin attack works:
Attacker setups rogue access point
Victim connects
Attacker intercept traffic (MITM)
Credential capture
Session hijacking possible
SOC Detection:
Unauthorized access point detected
Duplicate SSID detected
ARP spoofing alert
Unusual DHCP server detected
Network traffic interception patterns
Core psycology attaks used by attackers
1 . Scarcity- ''Only 2 bonus slots remaining"
Triggers impulsive decisions.
2 . Reciprocity- "I helped you last week, can you send me this document."
Creates obligation.
3 . Familiarity- Attacker often:
Impersonate colleagues
Use internal language
Reference real projects
Types of Social Engineering attacks
1. Pretexting- Attacker creates a fake scenario to gain trust.
e.g. "Hi, I'm from IT,
We are upgrading VPN.
Please confirm your credentials."
2 . Baiting- Attacker offer something tempting.
e.g. Free movie download ( curiosity + greed = compromise)
3. Watering hole attack- Attacker compromises a website frequently visited by target group.
e.g. Government employee frequently visit specific portal.
Attacker injects malware into that site.
Social engineering attack lifecycle
Reconnaissance
Relationship building ---> email/phone conversation
Exploitation ---> Credential, file execution, access granted
Exit ---> delete traces, begin technical attacks.
SOC Analyst Response:
Suspecios login after phishing
VPN login from new location
Email forwarding rules created
MFA reset request
Multiple password reset attempt
Impossible travel login
Social Engineering in Indian Context
Fake GST notice
Fake income tax email
Fake courier delievery scams
KYC verification fraud
Bank OTP scams
Fake job offer scams
Many SOC alerts related to:
Credemtial harvesting
OTP compromise
Account takeover