Indicator of Compromise (IOC)

IOCs are clues to compromise or pieces of forensic data, system log entries or files, that can be considered unusual and may identify potentially malicious activity on a system or network.


Virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers are some classic IOCs. Some include unusual outbound network traffic, anomalies in privileged user account activity, others log in red flags (to accounts that don't exist, or after hours), swells in database read volume, HTML response sizes (if SQL injection is used to extract data), large numbers of requests for the same file (indicating trial and error), mismatched port-application traffic (unusual ports), suspicious registry or system file changes, DNS request anomalies (large spikes), and geographical irregularities.


Seeking Clarity?

View the Cybersecurity Dictionary for top terms searched by your peers.