Common Indicators of

Compromise (IoCs)
1. What Are Indicators
of Compromise (IoCs)?

•
Indicators of Compromise (IoCs) are
pieces of forensic evidence that
suggest a system or network has been
breached. IoCs help cybersecurity
professionals detect threats early and
respond effectively by identifying
malicious activities, files, or patterns in
network traffic.
2. How to Use IoCs for Early
Threat Detection

Integrating Monitoring

Integrating IoCs into Monitoring Network Traffic:

Security Systems: • Use IoCs to create filters or
• IoCs are often integrated into detection rules in tools like
security tools like Intrusion Wireshark or Zeek.
Detection Systems (IDS), Security • Example:
Information and Event
Management (SIEM) platforms, or
Endpoint Detection and Response
(EDR) systems.
• Examples:
 IOA vs IOC
Indicator of Attack (IOA) Indicator of Compromise
(IOC)

Identified as the event or Provides Information about

process is known
active and occurring. adversaries after an event has
Focused upon attribution occurred.
and intent of Reactive incident response
threat actors. indicator used
for detection of threats.
What does IOC reveal?

IOC can reveal:

• Tactics, Techniques and Procedures
(TTPs) used during a cyberattack
• Severity Of the event
• Where to focus incident response and
mitigation
• Who the threat actors are
What Are Indicators of
Compromise (IoCs)?

• A car dashboard provides real-time

• performance measures and safety
• indicator signals.
• Like mechanics, incident
responders
• use indicators to diagnose
potential
• problems and determine how or
why
• they occurred.
What Are Indicators
of Compromise
(IoCs)?
• As per NIST 800-53, IOCs are forensic
artifacts(produced evidence) from
intrusions
• identified on organizational systems at
the host or network level
• Digital forensics is the application of
scientific investigatory
• techniques to digital crimes and attacks.
• The Locard Principle: "Every contact
leaves a trace"
• An IOC is the trace of the threat actor
Uses of IOC
IOCs are a key source for:
• Identification of an Advanced Persistent
Threat (APT) actor or group
• Indicating something is wrong on the
network
• Forensic identification of crime or attack
• Understanding how a compromise
occurred
• Testing your system or network for
vulnerabilities
Quiz
IOCs are defined as: Reactive incident response
indicators used for detection of threats in your network.
Of the following is an example of an IOC:
A. A report on a series of incorrect log in attempts after
normal business hours
B. A phishing email
C. A malicious IP address
D. Denial of Service
Quiz
The “Locard” principle is an example of:
A. Every contact leaves a trace
B. Measurement of the severity of an attack
C. Digital Forensic science
D. Testing your network for vulnerabilities
 CHIRP

CISA Hunt and AA20-352A: Advanced AA21-008A: Detecting Similar to Sparrow,

Incident Response Persistent Threat Post-Compromise which scans for signs
Program (CHIRP) Compromise of Threat Activity in of APT compromise
Government Agencies, Microsoft Cloud within an M365 or
Critical Infrastructure, Environments Azure environment—
and Private Sector CHIRP scans for signs
Organizations of APT compromise
Forensics collection tool within an on-premises
Developed by CISA environment.
Helps network defenders find
IOCs associated with activity
detailed in:
The MITRE ATT&CK Framework
The MITRE ATT&CK Framework consists of adversarial techniques that
can be correlated to the Tactics, Techniques, and Procedures (TTPs)
employed by the APT groups.
• A collection of multiple IOC that allow analysts to identify which
perpetrators may be involved
• IOCs correlate to techniques in the framework, which are
mapped to known APTs based on the capabilities employed
• To strengthen security, organizations can use these techniques
to simulate the threat actor and identify vulnerabilities in their
network
• Based on IOC findings, defenders can create and apply
signatures to their Intrusion Detection System (IDS) or Intrusion
Prevention
• Systems (IPS) to identify or prevent future threat activity.
China "Numbered Panda“
•The following section provides case •• Group ID: G0005 1 MITRE
studies
•• Associated Group
•of MITRE ATT&CK identified APT Descriptions
groups:
•• Numbered Panda, IXESHE,
•China (APT 12)
DynCalc. and DNSCALC
•• "Numbered Panda“
•Iran (APT 33)
•• "Elfin"
•Russia (APT 28)
•• "Fancy Bear"
APT-33 Iran (Elfin)
• Description
•• IOCs
• A suspected Iranian threat group that targeted organizations
across multiple industries in the US, Saudi Arabia, and South •Current IOC profile denotes focus on
Korea, notably in the aviation and energy sectors
•
human element of the target
MITRE Framework Tactics
• Initial Access enterprise, gaining access with social
• Execution engineering and obtaining command
• Persistence and control moving laterally and
• Privilege Escalation
• Defense Evasion
escalating privileges as needed to
• MITRE Framework Tools and Techniques
eventually
• A dropper program (written in Farsi) to deploy a wiper •exfil datal.
• application that installs a backdoor
• Spearphishing emails •Group ID: G0064 1 MITRE
• • Impersonates commercial entities (i.e., Boeing and
•• Associated Group Descriptions
• Northrop Grumman) through registered web domains
•• Elfin, HOLMIUM
APT-28 Russia (Francy bear)
•Description
•• Group ID: G0007 1 MITRE
• This Russian-attributed threat group targeted the Hillary Clinton
campaign, the Democratic National Committee, and the
Democratic Congressional Campaign in 2016 to interfere with the
ATT&CK
U.S. presidential election
•• Associated Group Descriptions
• MITRE Framework Tactics
• ALL Enterprise tactics •• Fancy Bear, SNAKEMACKEREL.
• MITRE Framework Tools and Techniques Swallowtail, Group 74,
• Spear phishing emails with zero-day vulnerabilities
• Consistently updating malware Since 2007 •Sedrut, Sofacy. Pawn Storm,
•
•
Periodically wipe log events and rest timestamps to avoid
forensic analysis of their hacks
STRONTIUM, Tsar Team,
• IOCs •Threat Group4127, and TG-4127
• Current IOC profile denotes focus on the human element
• of the target enterprise to gain access but leverages a
multitude of TTPs throughout the lifecycle to achieve intended
objective(s)'.
 Description
• A China-attributed threat group that targets media outlets,
• tech companies and multiple governments

APT-12 MITRE Framework Tactics

China
• Initial Access
• Execution
• Command and Control
"Numbered MITRE Framework Tools and Techniques
Panda“ •
•
Variations of DNS calculation
Phishing
• User execution/malicious files
• Web service bidirectional communication

IOCs
• Current IOC profile denotes focus on the human element
• of the target enterprise, gaining access with social
• engineering and obtaining command and control'.
Creating Custom Detection Rules:

Organizations can
customize detection
Organizations
rules based on canIoCs
customize
relevant detection
to their industry
or rules based
network on IoCs
environment.
relevant to their industry
or network environment.

Detect anomalies in file access, unusual DNS queries, or unauthorized outbound

Example:
connections.
 Correlate
IoCs with
network
traffic,
Correlating system logs,
and user
IoCs Across activities to
Data confirm
compromise
Sources: .
• If a known malicious
hash matches a
downloaded file,
Example: check logs to identify
the user's actions
leading to the
download.
Using Threat Intelligence Feeds:
Regularly update
IoCs by subscribing
to threat
intelligence
platforms like
AlienVault OTX, IBM
X-Force, or
VirusTotal.
• Feed updated malicious IP
Example: addresses into your firewall
to block threats proactively.
Quiz
• Spearphishing is an example of which tactic:
A. Command and Control
B. Initial Access
C. Man in the Middle Attacks
D. Damage of Property
Quiz
The purpose of the CHIRP tool is to:
A. Scan for Signs o APT compromise within an on
premises environment
B. O Scan for APT activity within Microsoft 36S/Azure
environments
C. O Alert you of an incident in progress in your network
D. Identify the motive of an APT group
Quiz
you can use the MITRE ATT&CK Framework to:
A. Identify vulnerabilities in your network
B. Diagnose the severity of a network compromise
C. Scan your network for potential vulnerabilities
D. Identify TTPs employed by nation states
3. Examples of Known IoCs Malicious file
hashes (MD5,
SHA256) detected
in files on a MD5 hash of
system. ransomware:
File-Based IoCs: d41d8cd98f00b20
4e9800998ecf842
Examples: SHA2567e hash of a
Trojan:
IoCs can be 6d2a3f283c6a7dc
classified into a7f0934aef8b9ea
several types e8b3bf0e3c5f7c6
based on the data 8bf7e8d8e5b1c6e
they provide: d2cd
Indicators found in Malicious IP:
network traffic, such 192.0.2.1 flagged
as malicious IPs,
domains, or unusual in threat
port usage. intelligence.
Network-Based
IoCs:
Suspicious
domain:
Examples:
malicious-
updates.com.
Abnormal DNS
queries: Long or
randomized
subdomains
(xyz123.example.
com).
Indicators found in phishing or spam emails.
Email-Based IoCs:

o Examples:
 Suspicious sender address: support@fakebanking.com.
 Malicious attachments: Files named invoice.zip or
update.docm.
 URLs: Shortened or suspicious links (bit.ly/malware).
Behavioral IoCs
• Indicators of unusual activity on systems or networks.
• Examples:
• Multiple failed login attempts followed by a successful login (brute force
attack).
• Unusual traffic patterns, such as high volumes of outbound data during non-
business hours.
• Registry and System IoCs:
• Modifications to system settings or files.
• Examples:
• Unauthorized changes to Windows Registry keys.
• Presence of unexpected or known malicious processes (notepad.exe
communicating with external IPs).
4. Using IoCs in Real-World
Scenarios
Example 1: Malware Infection Example 2: Data Exfiltration
Detection Detection
• IoCs: • IoCs:
• File hash of a known malware • Large outbound traffic volumes to
variant matches a recently an unknown IP during off-hours.
downloaded file. • DNS queries to suspicious domains
• Outbound traffic to malicious- with encoded data.
c2.com. • Action:
• Action: • Identify and isolate the
• Isolate the affected device. compromised system.
• Block traffic to the C2 domain. • Analyze logs for sensitive file
• Remove the malicious file and access during the event.
review user activity leading to the • Block the external IP and review
download. internal access controls.
 Example 3: Phishing Campaign Detection
o IoCs:
 Emails containing links to phishingsite.fakebank.com.
 Attachments with macros triggering outbound connections to attacker-server.com.
o Action:
 Flag and quarantine emails containing IoCs.
 Educate users to avoid clicking on similar links.
 Analyze affected systems for further compromise.

5. Challenges in Using IoCs

• Evasion Techniques:
• Attackers frequently change IoCs (e.g., rotating IPs, domains, or
file hashes).
• Solution: Use behavioral patterns and heuristic analysis
alongside static IoCs.
• False Positives:
• Some IoCs may overlap with legitimate activities (e.g., shared IP
hosting).
•
  Volume of IoCs:
o Managing and applying large numbers of IoCs can be resource-intensive.
o Solution: Automate IoC ingestion and filtering using SIEM tools.

6. Tools for Detecting and Managing IoCs

 Threat Intelligence Platforms:
o AlienVault OTX, VirusTotal, IBM X-Force Exchange.
 SIEM Tools:
o Splunk, QRadar, Elastic Security.
 Network Analysis Tools:
o Wireshark, Zeek, Suricata.
 Endpoint Protection:
o EDR solutions like CrowdStrike Falcon, Carbon Black.
7. Best Practices for Using IoCs
 Regular Updates:
o Keep IoC databases updated with the latest threat intelligence.
 Automate Detection:
o Use automated tools to ingest, apply, and act on IoCs in real time.
 Contextual Analysis:
o Correlate IoCs with system and network logs to validate threats.
 Focus on High-Value IoCs:
o Prioritize IoCs with high relevance to your environment or current threat
landscape.