Indicators of Compromise (IOCs) are forensic data—such as file hashes, IP addresses, domain names, or unusual network activity—that signal a potential or confirmed security breach within an IT environment. Often described as "digital breadcrumbs," IOCs represent evidence and clues left behind by attackers during operations, revealing what tools were used, how attacks unfolded, and potentially who was behind them.
IOCs as Evidence: IOCs are evaluated after an attack has been contained to better understand the incident's scope, nature, and impact. They answer questions like "Where was the breach?" "What was taken?" and "How extensive is the compromise?"
IOCs vs. IOAs: Indicators of Attack (IOAs) represent behavioral patterns and activity sequences indicating active, ongoing attacks in real-time, evaluating attacks as they're happening requiring immediate containment. Security teams use both IOCs and IOAs for comprehensive threat detection. When security analysts detect an IOA like lateral movement, they extract corresponding IOCs (file hashes, IP addresses, registry keys) and use these indicators to hunt throughout their environment.
Top Attack Indicators in H1 2025: The CyberProof Threat Research Team identified specific top attack indicators in H1 2025 including suspicious network traffic patterns, suspicious file executions, unauthorized access attempts, or connections to known malicious IP addresses or domains.
Suspicious IP Addresses: Connections to known command-and-control infrastructure, bulletproof hosting providers, Tor exit nodes, or other high-risk endpoints. Repeated connection attempts from blacklisted IPs indicate compromise or reconnaissance activities.
Malicious Domain Names: Communication with domains recently registered with no prior reputation, known botnet command and control domains, or domains associated with previous attacks.
Unusual Network Traffic Patterns: Abnormal traffic volumes, unexpected protocols, unusual port usage, or unexpected data transfers to external networks suggesting data exfiltration or command and control communications. Significant data transfers leaving the organization in significantly higher volumes or activity coming from unusual network locations may indicate attacks in progress.
DNS Query Anomalies: Unusual DNS queries to suspicious domains, failed DNS resolution attempts, or patterns consistent with DNS tunneling for exfiltration.
Outbound Connections: Network traffic directed to known malicious IP addresses or suspicious external servers.
File Hashes: Unique digital fingerprints identifying known malware files (MD5, SHA-1, SHA-256). When security teams identify malicious file hashes during analysis, they can proactively blacklist these hashes across their entire infrastructure.
Filenames and File Paths: Unexpected file names characteristic of malware, files in suspicious locations, or files with unusual extensions.
Process Execution Anomalies: Suspicious processes or services running, processes launched from unusual locations, or execution patterns inconsistent with normal operations.
Registry Modifications: Specific Windows registry key changes attackers make for persistence, privilege escalation, or lateral movement.
Unexpected Services or Scheduled Tasks: Unknown services added to system startup, suspicious scheduled tasks configured to run at specific times, or task scheduler entries pointing to malicious scripts.
System Event Log Anomalies: Unusual entries in Windows Event Viewer, failed login attempts, privilege escalation events, or suspicious user account creation.
Multiple Failed Login Attempts: Repeated unsuccessful login attempts from a single user or to a single account, indicative of password guessing or credential harvesting.
Unusual Login Times: Login attempts at unusual hours inconsistent with normal user behavior patterns, particularly from foreign countries or suspicious geographic locations.
Top Malwares in H1 2025: The top 5 malwares identified in H1 2025 were LummaStealer, RedLine, Amadey, AgentTesla, and XWorm.
Top Abused Remote Management Tools: The top 5 RMMs (Remote Management Tools) abused in attacks were ScreenConnect, PDQDeploy, AnyDesk, VNCViewer, and SimpleHelp.
Top Malicious File Extensions: The top 5 malicious file extensions used in H1 2025 included .exe, .js, .mp3/.mp4, .lnk, demonstrating varied delivery mechanisms.
Top Malicious TLDs: The top 5 malicious Top Level Domains (TLDs) identified in attacks were .top, .shop, .ru, .site, and .icu.
Graph Correlation Engines: Graph correlation engines can calculate relationships between seemingly disparate IOCs, building rich threat intelligence describing complete attack campaigns rather than discrete events. When security teams identify a malicious domain, a suspicious file hash, and an unexpected service account session occurring in the same time period, correlation engines can calculate relationships indicating coordinated attack activity requiring investigation and containment.
The cyber threat landscape of 2025 represents an unprecedented convergence of sophisticated threat actors, evolving attack vectors, and AI-augmented capabilities. From nation-states targeting critical infrastructure to organized cybercriminals operating as business enterprises, the diversity and sophistication of threats demands comprehensive understanding of threat actors, their methodologies, and the digital breadcrumbs they leave behind. The Cyber Kill Chain framework provides organizations with systematic understanding of attack progression, while indicators of compromise enable detection and forensic investigation of security incidents in an increasingly hostile threat environment.