{"id":5109,"date":"2019-12-09T20:56:55","date_gmt":"2019-12-09T19:56:55","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=5109"},"modified":"2025-03-07T17:36:28","modified_gmt":"2025-03-07T16:36:28","slug":"not-all-ioc-scanning-is-the-same","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2019\/12\/09\/not-all-ioc-scanning-is-the-same\/","title":{"rendered":"Not All IOC Scanning Is The Same"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}”]<\/p>\n

People often tell us that EDR product X already does IOC scanning and that they don\u2019t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend scanning a second time with one of our scanners or a tool of similar quality.<\/span><\/p>\n

This blog post explains why.<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}”]<\/p>\n

People usually spend a fair amount of time on selecting threat intel feeds and interesting indicators for their scans. However when it comes to the actual application of these indicators they seem to be satisfied with the simplest form of checks.<\/span><\/p>\n

Especially when we look at C2 or Filename IOCs I can easily explain the difference between the \u201ecompulsory\u201c and \u201efreestyle\u201c methods of IOC scanning.<\/p>\n

A plain \u201ecompulsory\u201c filename IOC check would walk the disk or query a database looking for a certain filename, right?<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/12\/7S5g5.jpg” _builder_version=”4.16″ global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}”]<\/p>\n

However if you think about it for a second and ask yourself \u201ewhere else could we check for that filename?\u201c you\u2019ll realize that the following elements could also contain the malicious filename:<\/p>\n