Indicators of Compromise (IOCs) are forensic artifacts or pieces of digital evidence that suggest a network, system, or device may have been breached or is currently under attack. IOCs serve as "digital fingerprints" that provide security teams with crucial information to detect, analyze, and respond to cyber threats.
IOCs are reactive in nature—they indicate that a security incident has occurred or is in progress and help organizations understand what has happened, trace the attack's origin, and take appropriate remediation action. When an IOC is detected, security teams investigate to determine the scope of the compromise and contain the threat.
Common types of IOCs include
File-Based IOCs: Unusual or unknown file names, unexpected changes to file properties, known malicious file hashes (MD5, SHA-1, SHA-256), and unauthorized new files appearing on systems.
Network-Based IOCs: Abnormal network traffic patterns, unexpected outbound connections, connections to known malicious IP addresses or domains, unusual DNS queries, and suspicious data exfiltration.
Email-Based IOCs: Suspicious email attachments or links, phishing emails, spoofed sender addresses, malicious hyperlinks, unusual email forwarding rules, and messages containing known malware signatures.
Host-Based IOCs: Unauthorized changes to system configurations or registry entries, new unauthorized user accounts, unusual running processes or services, and unexpected system reboots.
Behavioral IOCs: Anomalous user activities such as logging in at unusual hours, accessing sensitive data outside normal patterns, logging in from unusual geographic locations, or privilege escalation attempts.
Organizations use IOCs in threat intelligence feeds, SIEM systems, and endpoint detection tools to automate threat detection. Pangratis provides security teams with detailed IOC data for email-based threats, enabling rapid investigation and response to potential compromises.