A precursor is a sign that a cyber-attack is about to occur on a system or network. An indicator is the actual alerts that are generated as an attack is happening. Therefore, as a security professional, it's important to know where you can find both precursor and indicator sources of information.
The following are common sources of precursor and indicator information:
* Security Information and Event Management (SIEM)
* Anti-virus and anti-spam software
* File integrity checking applications/software
* Logs from various sources (operating systems, devices, and applications)
* People who report a security incident
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Explanation
ROT13 is considered weak encryption and is not used with TLS (HTTPS:443). Source:
https://en.wikipedia.org/wiki/ROT13

User interaction is any event that requires the user to perform an action that enables or facilitates a cyberattack. Opening a malicious file is an example of user interaction, as it can trigger the execution of malicious code or malware that can compromise the system or network. Gaining root access, executing remote code, and reading and writing file permissions are not user interactions, but rather actions that can be performed by an attacker after exploiting a vulnerability or bypassing security controls. Reference: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, More than 99% of cyberattacks rely on human interaction