Discovering indicators of compromise



Now you have a good idea of what an exploit looks from both the attacker's and the defender's perspective. I value the defender's perspective the most; the blue team worker is the one, at least in my mind, who accomplishes that essential step of customizing various security controls, such as IDS and SIEM systems.

Of course, you can automate the process of discovering and even responding to these types of changes. Well-known exploits are already preprogrammed in host- and network-based IDS solutions, but a good security analyst knows that hackers are always changing their tactics and techniques. Therefore, an IT administrator or security worker must know how to investigate and review these types of attacks with the use of non-automated tools.

Once you know how to view an attack from both perspectives, you can take this relatively simple example and trace more activities related to the hacker process, and you can discover more IoCs and use this information to make your IDS and SIEM tools work more efficiently.


  1. "Open Source Intelligence Tools for Pen Testing" by James Stanger, ADMIN , issue 45, 2018, pg. 20,
  2. "Improved defense through pen testing" by James Stanger, ADMIN , issue 48, 2018, pg. 54,
  3. Edmond Locard:
  4. Cyber Kill Chain:
  5. Mitre ATT&CK:
  6. Process Monitor:
  7. Wireshark:
  8. CrackStation:

The Author

Feel free to contact James Stanger at, via Skype at stangernet, or on Twitter at @jamesstanger.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=