Home > SOC Analysis

Malware Indicators

Malware indicators are the patterns, behaviors, artifacts, and forensic traces that reveal the presence of malware on an endpoint or network.
Unlike IOCs (static data like hashes) or IOAs (attacker behavior), malware indicators combine host-level, network-level, and process-level evidence to identify whether a system is infected, running a payload, staging a second-stage attack, or communicating with a command-and-control (C2) server.

This chapter explains malware indicators in full-scale, ultra-practical SOC depth, with raw forensic examples, detection logic, SIEM queries, and investigation workflows.

What Malware Indicators Are

Malware indicators are observable signs that malware:

  • Executed

  • Loaded into memory

  • Modified files

  • Created persistence

  • Established C2 communication

  • Injected into processes

  • Downloaded payloads

  • Exfiltrated data

They are found across:

  • Sysmon logs

  • Linux logs

  • Firewall logs

  • DNS logs

  • Proxy logs

  • EDR telemetry

  • Memory dumps

  • Disk forensics

Malware indicators tie together the entire infection chain.

Core Malware Indicator Categories

1. Execution Indicators

Signs that malware ran on the host.

Examples:

  • Office app spawning PowerShell

  • Powershell encoded commands

  • Shell scripts running in /tmp

  • Unknown executables in user directories

  • DLL side-loading

  • Suspicious process trees

Raw examples:

WINWORD.exe → powershell.exe -nop -enc JAB...
bash[2211]: executing /tmp/xmrig
lsass.exe accessed by unknown process

2. Persistence Indicators

Malware embeds itself to survive reboot.

Common persistence mechanisms:

  • Registry Run keys

  • Cron jobs

  • Scheduled tasks

  • Startup folders

  • Systemd services

  • WMI subscriptions

Raw examples:

HKCU\Software\Microsoft\Windows\Run\Updater = C:\Users\Public\bd.exe
CRON: (root) CMD (/tmp/backdoor.py)
systemd: created service miner.service

3. Network Indicators

Malware beaconing or communicating with attackers.

Examples:

  • Repeated outbound connections

  • C2 traffic over 443/8080

  • Random domains

  • DNS tunneling

  • TOR or proxy usage

Raw examples:

powershell.exe → 91.22.113.10:443
DNS query: config.xjpwqz.biz → suspicious
POST /status small size at regular intervals

These are strong signs of active infection.

4. File Indicators

Malware leaves files, payloads, or artifacts.

Examples:

  • Dropped payloads in /tmp, AppData, Public

  • Suspicious DLLs

  • Unusual file extensions

  • Scripts created automatically

Raw examples:

/tmp/.hidden/kworker
C:\Users\Public\update.vbs
/root/.cache/.miner

Even if hashes change, file location and behavior remain consistent.

5. Memory Indicators

Used to detect fileless malware.

Examples:

  • Injected threads in LSASS

  • Suspicious memory allocations

  • Shellcode patterns

  • Reflective DLL loading

Raw examples:

Sysmon EventID=8: remote thread created in lsass.exe
Sysmon EventID=10: process accessed lsass.exe

Memory indicators are critical for detecting Cobalt Strike, Mimikatz, and in-memory RATs.

6. Behavioral Indicators

Attacker actions that strongly imply infection.

Examples:

  • Unusual CPU spikes (crypto miners)

  • Unknown processes maintaining persistence

  • Scripts running repeatedly

  • Unexpected admin activity

Raw examples:

xmrig running at 100% CPU
powershell launching every 5 minutes via scheduled task
cat /etc/shadow from unknown binary

Behavior analysis detects malware even when indicators change.

7. Browser & Proxy Indicators

Malware often downloads payloads from web servers.

Examples:

  • Downloading EXE/PS1 from shady domains

  • Auto-downloads of ZIP files

  • Malicious redirect chains

Raw examples:

URL=http://malicious.ru/payload.exe
URL=https://cdn-dropper.net/ldr.ps1

8. Email Indicators

Phishing-driven malware infections.

Examples:

  • Macro-enabled Excel files

  • ZIPs containing EXEs

  • Fake invoice attachments

Raw examples:

attachment: Invoice_2025.xlsm
From: support@office365-auth-login.net

High-Risk Malware Behavior Patterns

Suspicious Parent → Child Chains

WINWORD.exe → cmd.exe → powershell.exe

Encoded / Obfuscated Commands

-frombase64string
-enc JAB

Suspicious Temperature Directories

/tmp/
/var/tmp/
AppData\Roaming\
C:\Users\Public\

Foreign Network Traffic

Outbound to .ru, .su, .cn domains

Persistence Creation

schtasks /create /tn "Updater" /tr "C:\Users\Public\bd.exe"

Lateral Movement

4624 LogonType=3 from unusual workstation

Data Collection / Staging

zip -r data.zip /home

Exfiltration

POST large payload to file.io
DNS TXT queries with encoded data

These patterns always require escalation.

Malware Indicator Examples by Log Source

Sysmon

EventID=1: powershell.exe -enc
EventID=3: outbound 443 to unknown IP
EventID=10: memory access to lsass.exe

Linux Logs

CRON: (root) CMD (python3 /tmp/bd.py)
execve("/tmp/miner", ...)

DNS

query: q9wje092j9xja.biz → NXDOMAIN
TXT query with long base64 text

Firewall

Outbound 5MB POST request to unknown IP

Proxy

Downloaded payload.exe from malicious domain

IPS/IDS

ET MALWARE Cobalt Strike Beacon

These multi-source indicators confirm malware activity.

SIEM Queries for Malware Detection

Detect encoded PowerShell malware

process:powershell AND CommandLine:*enc*

Detect suspicious file execution

Image:*AppData* OR Image:*Public* OR Image:/tmp/*

Detect C2 communication

dst_ip NOT IN whitelist AND bytes_out < 500 AND repeated every 1 min

Detect persistence creation

EventID:13 AND TargetObject:*Run*

Detect DNS tunneling

query_length > 100 AND query_type:TXT

Detect miner activity

process_name:xmrig OR Image:*miner*

Full Attack Timeline Using Malware Indicators

Step 1 — Initial Execution

WINWORD.exe → powershell.exe → dropper.ps1

Step 2 — Payload Download

URL: http://malicious.ru/payload.exe

Step 3 — Malware Runs

beacon.exe executing from C:\Users\Public\

Step 4 — Persistence

HKCU\Run\Updater = beacon.exe

Step 5 — C2 Beaconing

DNS query: checkin.xjwpa.biz
POST /status 204 response

Step 6 — Lateral Movement

4624 LogonType 3 to FILESERVER01

Step 7 — Exfiltration

POST https://file.io/upload SIZE_OUT=6MB

Malware indicators allow SOC analysts to detect the infection at any stage.

Analyst Workflow When Investigating Malware Indicators

  1. Confirm suspicious execution

  2. Correlate with network behavior

  3. Check for persistence entries

  4. Inspect DNS/Proxy logs

  5. Investigate memory indicators

  6. Extract related IOCs

  7. Trace lateral movement

  8. Build timeline

  9. Validate malicious intent

  10. Escalate incident and isolate host

This workflow uncovers almost every modern malware attack.

Intel Dump

  • Malware indicators include execution traces, persistence signs, network behavior, file artifacts, memory anomalies, and data movement patterns.

  • Key examples include encoded PowerShell commands, random DNS domains, outbound C2 traffic, cron persistence, and suspicious file execution paths.

  • Malware indicators appear across Sysmon, Linux logs, proxy, DNS, firewall, EDR, and memory forensics.

  • SIEM queries detect encoded commands, suspicious file paths, C2 beaconing, DNS tunneling, and data exfiltration.

  • Malware indicators expose full attack chains from initial dropper → C2 → persistence → lateral movement → exfiltration.

HOME LEARN COMMUNITY DASHBOARD