is any piece of digital evidence that identifies potentially malicious activity on a system or network. Examples include unusual network traffic, unexpected files, registry changes, or malicious IPs/domains.
Think of it like a criminal's fingerprint at a crime scene. Security professionals and systems use these fingerprints to detect, investigate, and respond to security incidents.
IOCs are the evidence that a system has been infiltrated or attacked.
IOC Categories
File-Based IOCs:
- Hash Values (MD5, SHA-1, SHA-256): is a unique digital fingerprint of a file. If a file has been altered (e.g., infected or modified), its hash will change.
- File Names: Malware often mimics legitimate file names but is found in suspicious locations.Known names of malware executables (e.g.,
svchost.exein a user's temp folder is suspicious). - File Sizes: Unusual file sizes for specific system files.Malicious files sometimes imitate system binaries but have abnormal sizes.
Detection Method : File hash checks, integrity monitoring.
Tools used for detection : sha256sum, VirusTotal, PowerShell
Network-Based IOCs:
- Malicious IP Addresses: If your computer (your "house") is caught sending data to or receiving data from this known "criminal hideout" (the malicious IP), it's a huge red flag. Your computer is communicating with the enemy.Example: An IP address in a foreign country that is known to be a "Command and Control" server for malware.
- Malicious Domain Names: Even if the criminals move their servers to a new "street address" (a new IP), they often keep the same "business name" (domain). Security systems block these known bad domain names. Example: URLs or domains used for phishing, malware distribution, or C&C communication.A domain that looks almost identical to your bank's website (e.g.,
paypa1.cominstead ofpaypal.com) used for phishing. - Suspicious URL Patterns: Specific, suspicious web addresses.Sometimes the main "business" (domain) might look legitimate, but a specific page or file on it is malicious. Security tools look for these specific, suspicious paths. Example: A link in a phishing email that points to
legit-website.com/images/this-is-a-trap.scr.
Detection Method : Firewall , DNS, Proxy logs.
Tools used for detection : AbuseIPDB , VirusTotal Domains, URLScan.io proxy logs for patterns.
Host-Based IOCs:
- Registry Keys: Unusual entries in the Windows Registry created by malware for persistence.
- Artifacts in Memory (RAM): Specific code patterns or behaviors observed in a computer's memory. Example: Fileless malware may exist only in memory, leaving no file artifacts.
- Unusual Processes: Strange or hidden processes running on a system.
Detection Method : Inspection , Autoruns.
Tools used for detection : Sysinternals.
Behavioral IOCs:
- Unusual Outbound Network Traffic: A computer communicating with a server in a foreign country for no reason.
- Log-in Anomalies: Failed log-in attempts from geographically impossible locations (e.g., a user logging in from New York and then from London 10 minutes later).
- Large Volume of Database Read Requests: Could indicate data exfiltration.
Detection Method : SIEM
Tools used for detection : Splunk