Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Indicators of Compromise (IOCs)

Overview

Indicators of Compromise (IOCs) are clues that suggest a system, account, or network may have been attacked or breached. They are like digital “footprints” or evidence that something suspicious or malicious has happened. Security teams use IOCs to detect, investigate, and respond to cyber incidents.

In plain terms: IOCs are warning signs that say, “Something bad may already be going on here—look closer.”

What IOCs Can Be

IOCs come in many forms, including:

  • Technical details seen in logs and tools.

  • Changes to systems or files.

  • Unusual behavior by users or applications.

Common Types of IOCs

Some frequently used IOCs are:

  • Suspicious files or programs

    • Unknown executables, scripts, or tools appearing on systems.

    • Files with odd names or locations (for example, in temp folders or user profile folders where they don’t belong).

  • Malicious file hashes

    • Unique fingerprints of known malware files (for example, MD5/SHA values) that match threat‑intelligence lists.

  • Unusual network activity

    • Connections to IP addresses or domains known to be malicious.

    • Large or unexpected data transfers, especially leaving the company.

    • Traffic at odd hours or from devices that don’t normally talk to certain servers.

  • Suspicious domains, URLs, and IPs

    • Links used in phishing campaigns.

    • Command‑and‑control (C2) servers used by attackers to control infected machines.

  • Abnormal user or login behavior

    • Logins from unusual locations or countries.

    • Many failed login attempts followed by a success.

    • Access to systems or data that the user does not normally use.

  • Changes to system configuration or security tools

    • Antivirus or logging suddenly disabled.

    • New admin accounts created without a clear reason.

    • Unexpected changes to firewall rules, group policies, or scheduled tasks.

  • Email‑related indicators

    • Phishing emails with specific subjects, sender addresses, or attachment names used in a known campaign.

Why IOCs Matter for Businesses

IOCs help organizations:

  • Detect attacks earlier

    • By spotting known bad signs before attackers complete their objectives.

  • Investigate incidents

    • IOCs provide leads for where to look: which systems to check, which accounts may be affected, and where data might have gone.

  • Contain and eradicate threats

    • Once an IOC is known, it can be blocked or hunted for across the environment (for example, blocking a bad domain or removing a malicious file).

  • Improve defenses over time

    • Patterns from past incidents feed into rules, alerts, and training, making future attacks easier to spot.

Where IOCs Come From

IOCs are gathered from:

  • Internal detection tools

    • Antivirus/endpoint protection, intrusion detection systems, email security, and log analysis tools.

  • Incident response investigations

    • Forensic work after an attack uncovers specific files, domains, and behaviors.

  • Threat‑intelligence sources

    • Shared lists and reports from security vendors, industry groups, and government agencies about current campaigns and known bad indicators.

How IOCs Are Used in Practice

Security teams typically:

  • Ingest IOCs into tools

    • Load bad IPs, domains, hashes, and patterns into firewalls, endpoint tools, and monitoring systems.

  • Hunt across systems

    • Search logs and endpoints for the presence of known IOCs (for example, “Do we see this hash anywhere?”).

  • Create alerts

    • Set up rules so that if an IOC is seen again, an alert is raised quickly.

  • Share and update

    • Continuously update IOCs as attackers change infrastructure and tactics.

Limitations and Caveats

IOCs are valuable but not perfect:

  • Attackers change indicators

    • They can quickly switch IPs, domains, or file names to avoid detection.

  • Some IOCs can be too generic

    • Not every odd log entry or IP is truly malicious; false positives are possible.

  • They show that something has happened, not everything that happened

    • IOCs are pieces of a puzzle, not the full story of an incident.

Because of this, modern defenses also use “behavior‑based” detection (looking at patterns of activity) in addition to simple IOC matching.

Plain‑Language Example

Imagine your company learns from a security bulletin that attackers are using:

  • A specific file named invoice_update.exe with a known hash.

  • A command‑and‑control domain bad-update[.]com.

Those two details are IOCs. Your security team can:

  • Search all computers for that file and hash.

  • Check logs for any connections to bad-update[.]com.

  • Block that domain at the firewall and remove the file wherever it appears.