QeeqBox

Indicators of Compromise

Written by

Giga Alqeeq

in

Indicators of Compromise (IoC)

Indicators of Compromise (IoCs) are pieces of forensic evidence or observable data that suggest a system, network, or account has been compromised by malicious activity. IoCs are typically discovered during or after a cybersecurity incident and are used by security teams to identify, investigate, and contain attacks. 

IoCs are considered reactive security indicators because they confirm that suspicious or malicious activity has already occurred. Security analysts use them to trace attacker behavior, detect infected systems, block known threats, and improve future defenses. 

These indicators are often static and signature-based, which means they rely on previously identified malicious artifacts, such as known malware file hashes, attacker-controlled IP addresses, suspicious domains, registry modifications, or unauthorized file changes. Because attackers frequently change their infrastructure and malware signatures, IoCs can quickly become outdated. As a result, they are usually most effective for detecting known threats rather than new or evolving attacks.

Key Characteristics

  • Reactive: They are identified after an attack has already occurred and are used to confirm and investigate a breach. They indicate that a malicious event has taken place.
  • Confirms something bad has already happened: They provide evidence of a compromise or malicious activity, such as known malicious files, IP addresses, or unauthorized system changes.
  • Often signature based: They rely on established patterns or indicators (such as hashes or domains). This makes them effective for detecting known threats but less useful against new or evolving attacks.

Examples

  • Malware hashes
    • NetWalker Ransomware (Double-Extortion)
    • SHA256: 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
  • Suspicious file changes
    • NetWalker Ransomware (Double-Extortion)
    • File: C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe
  • Registry modifications
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • Value: “f7ccbf3501” = “C:\Program Files (x86)\f7ccbf3501\f7ccbf3501.exe”
  • Malicious IPs/domains
    • Emotet (8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b)
    • Traffic: 10.1.0.99 -> 5.2.136.90 (known Emotet C&C server)
  • Unexpected processes
    • Lucifer (66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e)
    • Action: schtasks /create /sc minute /mo 1 /tn “QQMusic” /tr %SAMPLEPATH% /F

More posts