Indicators of Compromise (IOCs) are forensic evidence left behind during an intrusion, malware infection, or any malicious activity. They help investigators identify what happened, where the attacker moved, what tools were used, and whether systems are still compromised. IOCs are essential for threat detection, incident response, and threat hunting across networks.
This chapter explains the types of IOCs, how they are collected, how attackers try to evade them, and how investigators use IOCs to detect and respond to attacks.
What Are Indicators of Compromise?
IOCs are observable data points that signify malicious activity.
They act as digital footprints of attackers and malware.
Examples include:
-
Malicious IP addresses
-
Suspicious file hashes
-
Abnormal processes
-
Registry modifications
-
Network connections
-
Unauthorized user accounts
IOCs allow security teams to detect attacks early or confirm past compromise.
Categories of IOCs
IOCs fall into multiple types, each providing different investigative value.
1. File-Based IOCs
These indicators relate to files created or modified by malware.
Examples:
-
File names
-
File paths
-
File hashes (MD5/SHA256)
-
Dropped payloads
-
Malicious DLLs
-
Suspicious executables in Temp/AppData
Hash values are extremely reliable IOCs because they uniquely identify a file.
2. Network IOCs
Malware communicates with external systems to receive commands or exfiltrate data.
Examples:
-
Malicious IP addresses
-
Suspicious domain names
-
Unusual URLs
-
C2 (Command-and-Control) servers
-
Beaconing intervals
-
TLS certificate anomalies
-
Unusual ports or protocols
Network IOCs help detect ongoing attacks, especially botnets and RATs.
3. Process & Memory IOCs
Malware often leaves evidence in RAM and process trees.
Examples:
-
Unknown or unsigned processes
-
Processes running from Temp/AppData or /tmp
-
Injected threads
-
Suspicious parent-child chains
-
Reflectively loaded DLLs
-
RWX memory regions
-
Shellcode patterns
Memory IOCs are critical for identifying fileless attacks.
4. Registry & Autostart IOCs (Windows)
Malware modifies the registry to maintain persistence.
Examples:
-
Run / RunOnce keys
-
Malicious services
-
AppInit DLL entries
-
IFEO hijacking
-
WMI subscriptions
These indicators reveal persistence-based attacks.
5. Scheduled Tasks
Unauthorized tasks are strong IOCs.
Examples:
-
Tasks running unknown binaries
-
Hidden or randomized task names
-
Tasks triggering at login or boot
6. User & Authentication IOCs
Attackers often create backdoor accounts or escalate privileges.
Examples:
-
Unauthorized user accounts
-
Abnormal login attempts
-
Login from foreign IP addresses
-
Privilege escalation logs
-
Disabled security policies
Authentication IOCs help detect compromised accounts.
7. Kernel & Rootkit IOCs
Rootkits leave hidden low-level artifacts.
Examples:
-
Unlinked kernel modules
-
Hooked system calls
-
SSDT tampering
-
Unknown kernel drivers
-
Memory regions without backing files
Kernel IOCs indicate deep compromise.
8. Script-Based IOCs
Malware frequently uses scripts like PowerShell or Bash.
Examples:
-
Base64 PowerShell commands
-
Obfuscated JavaScript
-
Malicious VBA macros
-
Python/Node.js droppers
Script IOCs help track phishing and lateral movement attacks.
9. Cloud IOCs
Cloud incidents generate unique indicators.
Examples:
-
Unauthorized API calls
-
Suspicious IAM role usage
-
Unexpected S3 access patterns
-
Abnormal cloud login locations
Cloud-specific IOCs are essential for modern investigations.
Sources of IOCs
Investigators gather IOCs from multiple sources:
-
Sandbox reports
-
SIEM logs
-
Firewall logs
-
Endpoint detection alerts
-
Memory dumps
-
Disk forensics
-
Email headers
-
OS logs (Windows Event Logs, Linux syslogs)
-
Threat intelligence feeds
-
Malware analysis tools
Cross-referencing multiple data sources increases accuracy.
IOC Formats
Industry standards help share IOCs efficiently.
Common formats:
-
STIX
-
TAXII
-
OpenIOC
-
JSON
-
YARA
-
Snort/Suricata rules
These formats enable automated ingestion by security tools.
How Attackers Try to Evade IOCs
Malware authors design payloads to avoid leaving detectable indicators.
Evasion techniques include:
-
Randomized file names
-
Polymorphic payloads
-
Domain Generation Algorithms (DGAs)
-
Fileless execution
-
Encrypted C2 channels
-
Living-off-the-land tools (PowerShell, WMI)
-
Short-lived command-and-control servers
IOCs must be updated constantly because attackers adapt quickly.
High-Value IOCs for Incident Response
The most actionable IOCs include:
-
SHA256 hashes of malware files
-
C2 domain names and IP addresses
-
Persistence paths
-
Registry keys
-
Suspicious services
-
PowerShell command history
-
Network beaconing patterns
-
Memory signatures (shellcode, injected DLLs)
These allow rapid triage and containment.
Using IOCs in Investigations
1. Detection
Scan endpoints, network logs, and SIEM platforms for known IOCs.
2. Containment
Block IPs/domains, isolate hosts, remove persistence.
3. Threat Hunting
Search across large environments for patterns.
4. Attribution
IOCs help link attacks to known malware families or threat actors.
5. Remediation
Use persistence and registry IOCs to clean infected systems.
Intel Dump
-
IOCs are observable artifacts indicating malicious activity: file hashes, IPs, domains, registry keys, processes, scheduled tasks, persistence markers, and memory artifacts.
-
Types include file-based, network, memory, registry, process, boot persistence, cloud, and script-based indicators.
-
IOCs come from logs, sandboxes, malware analysis tools, SIEM data, disk forensics, and memory dumps.
-
Attackers evade detection through polymorphism, DGAs, fileless execution, encryption, obfuscation, and short-lived infrastructure.
-
High-value IOCs help in threat hunting, containment, detection, attribution, and post-incident cleanup across Windows, Linux, macOS, and cloud environments.