Network indicator
Definition
A network-based artefact produced by malware at runtime, such as a DNS query, an IP address contacted, an HTTP request path, a TLS certificate fingerprint, or a User-Agent string. Network indicators from sandbox reports feed directly into threat-intelligence platforms and firewall block-lists.
Related terms
- API hooking
- A monitoring technique in which the sandbox intercepts calls the malware makes to operating-system API functions. Each intercepted call is logged with...
- Behavioural analysis
- The examination of what a program does at runtime rather than what its code says at rest. Behavioural analysis captures the actual...
- Evasion detection
- Malware logic that checks whether the execution environment is a real host or an analysis sandbox. Checks may query hardware identifiers, count...
- MITRE ATT&CK mapping
- The process of classifying observed malware behaviours against the MITRE ATT&CK framework's taxonomy of adversary tactics and techniques. Sandbox platforms increasingly produce...
- Sandbox
- An isolated execution environment, typically a virtual machine, where a malware sample runs under full instrumentation. The sandbox logs all system calls,...
Explained in
- Dynamic Malware Analysis and Sandbox EnvironmentsA network-based artefact produced by malware at runtime, such as a DNS query, an IP address contacted, an HTTP request path, a TLS certificate fingerprint, or...