Indicator of Compromise (IoC)
What is Indicator of Compromise (IoC)?
Indicator of Compromise (IoC)An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
An Indicator of Compromise is a forensic artifact that defenders use to detect known malicious activity after or during an intrusion. Common IoCs include cryptographic hashes of malware, suspicious IP addresses, command-and-control domains, malicious URLs, mutex names, registry keys, and email indicators. IoCs are easy to share via STIX/TAXII and to operationalize in SIEMs, EDRs, firewalls, and DNS filters. However, attackers can rotate these atomic artifacts quickly, which limits their long-term value compared to behavior-based detections. Most mature programs treat IoCs as one input among many alongside IoAs and TTPs.
● Examples
- 01
A SHA-256 hash of a known dropper added to an EDR block list.
- 02
A C2 domain blocked at the DNS resolver.
● Frequently asked questions
What is Indicator of Compromise (IoC)?
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised. It belongs to the Defense & Operations category of cybersecurity.
What does Indicator of Compromise (IoC) mean?
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
How do you defend against Indicator of Compromise (IoC)?
Defences for Indicator of Compromise (IoC) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Indicator of Compromise (IoC)?
Common alternative names include: IoC.