IOC (Indicator of Compromise)
Indicators of Compromise (IOCs) are forensic artifacts or observations within a system or network that indicate past or ongoing compromise—such as known malware hashes, suspicious IP addresses, or unusual registry entries.
Indicators of Compromise (IOCs) are the digital traces an attacker leaves behind during their activities. They enable security teams to confirm a compromise, assess its scope, and identify affected systems.
Types of IOCs
Network IOCs:
- IP addresses of known C2 (Command & Control) servers
- Domains (malware domains, fast-flux DNS)
- URLs (phishing sites, malware download sources)
- Network traffic patterns (unusual protocols, unusual destinations)
Host IOCs:
- File hashes (MD5, SHA-1, SHA-256 of known malware)
- File names and paths
- Registry keys and values
- Process names and hierarchies
- Mutex names (used by malware to prevent duplicate installations)
Account IOCs:
- Unusual logins (unknown geolocation, time, user agent)
- New local administrator accounts
- Password changes for privileged accounts
- Kerberos ticket anomalies
IOC vs. TTP
IOCs are reactive: they show what happened. TTPs (Tactics, Techniques, and Procedures) from the MITRE ATT&CK Framework are more preventive: they describe how attackers operate, independent of specific IOCs. IOCs change with every campaign; TTPs remain relatively stable.
IOC Sharing
Threat intelligence feeds (e.g., MISP, OpenCTI, AlienVault OTX) enable the sharing of IOCs between organizations. The BSI CERT-Bund operates a national IOC feed for German KRITIS operators.
IOCs are exchanged in standardized formats: STIX 2.1 (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information).
