VulnTech Indicators of Compromise (IOCs)

Indicators of Compromise are forensic artifacts that reveal the presence of malicious activity in systems, networks, or applications.
They are the data points SOC analysts use to detect, confirm, and investigate breaches.
IOCs are derived from malware analysis, threat intel feeds, attack logs, behavioral observations, and incident investigations.

This chapter explains IOCs in full-scale, ultra-practical SOC depth, with real examples, extraction techniques, SIEM detection methods, and full attack timelines.

What IOCs Actually Are

IOCs are pieces of evidence that indicate malicious activity.
They include identifiers tied to:

Malware
C2 infrastructure
Exploitation attempts
Persistence mechanisms
Credential theft
Insider threats
Ransomware operations

IOCs allow SOC teams to detect attacks early, block threats, and trace incidents across logs.

IOC Categories (Real SOC Breakdown)

1. Network IOCs

Used in firewall, DNS, IDS/IPS, proxy, and NetFlow logs.

Examples:

Malicious IP addresses
Suspicious domains
URL paths used by malware
Outbound connections to strange ports
C2 domains
Tor exit nodes
Newly registered domains

Raw examples:

91.22.113.10 (C2 server)
cdn-malicious.ru/payload.exe
beacon.status-checkin.net

2. File IOCs

Used in Sysmon, EDR, AV logs.

Examples:

Malware file names
File hashes (SHA256, MD5)
Dropped payloads
Modified system files
Malicious DLLs
Unexpected executables in temp folders

Raw examples:

SHA256 = F223911C0C44E33211D9A4B0F9812D...
/tmp/backdoor.py
C:\Users\Public\update.vbs

3. Host-Based IOCs

From endpoint logs like Sysmon, Windows Event logs, Linux logs.

Examples:

Suspicious processes
Parent-child execution chains
Registry modifications
Cron jobs
Service modifications
New user accounts
LSASS access attempts

Raw examples:

powershell.exe -enc ...
useradd hacker
reg add HKCU\...\Run /v backdoor

4. Behavioral IOCs

Patterns that indicate malicious intent even if no signature exists.
These are often more accurate than static indicators.

Examples:

Powershell without profile + encoded commands
Repeated failed logins
Outbound traffic at fixed intervals
DNS queries to random subdomains
Unusual privilege escalation
Processes spawning from Office documents

Example:

WINWORD.exe → powershell.exe → curl payload

5. Email IOCs

Used in phishing detection.

Examples:

Malicious sender addresses
Suspicious attachments
Phishing URLs
SPF/DKIM failures

Raw examples:

attachment: invoice_12345.zip
from: "Microsoft Support" <random@outlook-bad.com>

IOC Sources (Where SOC Gets Them)

IOCs come from:

Threat intel platforms (MISP, Anomali, Recorded Future)
Malware analysis (sandbox results)
VirusTotal
Suricata signatures
EDR alerts
SOC investigations
Security blogs
CERT advisories
MITRE ATT&CK mappings
Digital forensics reports

IOCs are shared across SOC teams and SIEM.

IOC Structure (What an IOC Contains)

IOCs typically include:

Indicator type (IP, domain, hash, etc.)
Confidence level
First seen / last seen
Threat family
Category (malware, phishing, C2, spam)
Associated TTPs
Recommended actions

SOC analysts must evaluate and enrich every IOC before acting.

Practical IOC Examples by Category

Network IOC (Firewall Example)

SRC=10.0.0.5 DST=91.22.113.10 DPT=443

File IOC (Sysmon Example)

EventID=1
Image=C:\Users\Public\beacon.exe
Hash=EE23A91C...

DNS IOC

query: status-checkin.xysjwp.biz

Proxy IOC

URL=http://malicious.ru/payload.exe

Host IOC

powershell.exe -nop -w hidden -enc JAB...

Email IOC

From: mg-support@office365-login.com

How SOC Uses IOCs

Detection

SIEM rules match logs against IOC lists.

Threat Hunting

Analysts search for historical IOC occurrences.

Incident Response

IOCs correlate with endpoint/network activity.

Blocking

Firewall/EDR/Proxy rules block IOC destinations.

Attribution

Identify malware family or attacker group.

IOC Validation (Critical SOC Step)

Before using an IOC, analysts check:

False positives
Domain age
IP reputation
Context
Associated behaviors
Whether IOC is still active

Not all IOCs are actionable.

SIEM Queries for IOC Detection

Search for malicious IPs

dest_ip IN threat_intel.ip_list

Search for suspicious domains

domain IN threat_intel.domains

Search for file hashes

file.hash IN threat_intel.hashes

Search for malware file names

TargetFileName:*backdoor*

Search for command patterns

CommandLine:*enc* AND Image:*powershell.exe*

Full Attack Timeline Using IOCs

Step 1 — User Opens Phishing Email

IOC:

URL=login-office-secure-check.com

Step 2 — Malware Dropped

IOC (hash):

beacon.exe SHA256=F23A...01

Step 3 — C2 Domain

IOC:

status-checkin.xjwpqz.net

Step 4 — Outbound C2 Communication

Firewall:

DST=91.22.113.10 DPT=443

Step 5 — Persistence

Host IOC:

HKCU\Software\Microsoft\Windows\Run\backdoor

Step 6 — Data Exfiltration

IOC:

POST https://file.io/upload

The entire breach is mapped through IOC-based detection.

Analyst Workflow With IOCs

Ingest IOCs into SIEM
Enrich IOCs with threat intel
Search historical logs
Look for matching events
Validate alerts
Correlate matches with endpoint/network logs
Confirm malicious behavior
Take remediation action
Add new IOCs discovered to threat intel

This is the everyday work of a SOC analyst.

Intel Dump

IOCs are data points that indicate compromise across network, endpoint, email, and OS logs.
Categories include network IOCs, file hashes, domains, URLs, host behavior, and email indicators.
Raw examples include malicious IPs, random domains, encoded PowerShell commands, suspicious files, and phishing URLs.
SOC analysts use IOCs for detection, hunting, enrichment, blocking, and investigation.
SIEM queries match IOCs against logs to detect malicious activity.
IOCs map entire attack chains from phishing → malware → C2 → persistence → exfiltration.