Indicator Of Compromise

Definition

An Indicator of Compromise (IOC) is a piece of evidence that suggests a system, account, or network may have been attacked or is being used by an attacker. It is a clue that points to possible malicious activity. IOCs help defenders detect, investigate, and respond to intrusions.

An IOC is usually something that can be observed and matched in data, such as:

* A file hash that identifies a known malicious file
* A suspicious IP address or domain that belongs to an attacker
* An unusual URL used for phishing or command and control
* A process name and command line that is strongly linked to malware
* A specific registry key that a certain threat actor always creates
* An email subject line or sender address used in a phishing campaign

For example, if a known malware sample has a SHA256 hash of `abcd1234...`, that hash is an IOC. Security tools can scan endpoints and logs for that hash to see where the malware has run.

IOCs are used to:

* Detect known threats by matching them in logs and on endpoints
* Search across historical data to see how far an attack spread
* Block future activity by denying connections to malicious IPs or domains
* Enrich alerts so analysts can recognize related activity faster

There are limitations. Many IOCs are easy for attackers to change. They can switch IPs, domains, file names, and even recompile malware to change its hash. This means IOCs age quickly and must be updated often. IOCs also need context. A domain or IP might be suspicious in one environment but normal in another.

Because of these limits, defenders combine IOCs with higher level patterns, sometimes called indicators of attack (IOAs), that focus on behavior rather than only on static values. Still, IOCs remain a core part of threat intelligence and day to day security operations. They give analysts concrete starting points for detection, hunting, and incident response.

Indicator Of Compromise

Definition

Explore More Terms