Skip to content
Log in

Indicator of Compromise (IoC)

Definition

An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded domain names or IP addresses, and specific string patterns. These are shared via threat-intelligence platforms and detection rules so other defenders can identify the same threat.

Related terms

MITRE ATT&CK
A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
Tactics, Techniques, and Procedures (TTPs)
A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash)....
Chain of custody
The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
Cyber forensics
The branch of forensic science concerned with collecting, preserving, and analysing digital evidence from networked environments for use in legal proceedings. Covers...
Alert correlation
The process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might...
Alert fatigue
The condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced...
Binary log (database)
A database engine's sequential record of all committed data modification statements, used primarily for replication and point-in-time recovery. In MySQL and MariaDB,...
Combined Log Format
An extension of the Common Log Format used as the default by Apache HTTP Server and widely adopted by Nginx. Adds referrer...
Configuration drift
Deviation from an approved baseline configuration, whether caused by legitimate administrative action or by an attacker modifying settings to weaken defences or...
Cryptographic hash
A fixed-length digest produced from a file's bytes by an algorithm such as MD5 (128-bit), SHA-1 (160-bit), or SHA-256 (256-bit). Identical files...
CSIRT (Computer Security Incident Response Team)
A dedicated team responsible for coordinating the response to confirmed security incidents. The CSIRT manages containment, forensic investigation, communication to stakeholders, and...
Cyber Kill Chain
A seven-phase linear model of an intrusion developed by Lockheed Martin in 2011. The phases are: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command...

Explained in these topics

  • Cyber Forensics vs Digital Forensics: Scope and BoundariesA technical artefact that signals a system may have been compromised. Common IoCs include malicious IP addresses, domain names, file hashes, registry keys, and...
  • Detection Sources and Alert PipelinesA specific, observable artefact associated with known malicious activity: a file hash, IP address, domain name, URL, registry key, or certificate fingerprint....
  • Indicators of Compromise: Identification and UseAn observable artefact on a host or network that provides evidence of a security incident. IOCs are used both for forensic investigation and for operationalisi...
  • Key Terms and Stakeholders in Incident ResponseA forensic artefact or observable that suggests a system has been breached. IOCs include file hashes, IP addresses, domain names, registry keys, and behavioura...
  • Proactive Threat Hunting MethodologyA specific artifact associated with known malicious activity, such as a file hash, IP address, domain name, or registry key. IOC-driven hunting searches for th...
  • Server and Application Log AnalysisA specific observable artifact in log data or system state that indicates a security incident has occurred or is in progress. Examples include repeated failed...
  • Static Malware AnalysisAn observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
  • The Cyber Attack LifecycleA forensic artefact that indicates a system or network has been compromised. Examples include malicious IP addresses, domain names, file hashes, registry keys,...
  • Threat Eradication MethodsObservable evidence that a system has been or is being compromised, such as a known-malicious file hash, a suspicious registry key, a command-and-control IP ad...
  • Threat Intelligence FundamentalsA specific, observable artefact that suggests a system may have been compromised. Examples include malicious IP addresses, file hashes, domain names, and regis...
  • What Is Cyber ForensicsObservable artefacts in a system or network that signal a past or ongoing intrusion: malicious IP addresses, file hashes, unusual registry keys, and anomalous...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account