Collecting Indicators of Compromise
When to Use
- During active incident response to identify and block adversary infrastructure
- Post-incident to document all observed adversary artifacts for future detection
- When sharing threat intelligence with ISACs, sector partners, or law enforcement
- When building detection rules in SIEM, EDR, or network security tools
- When enriching IOCs with threat intelligence context for risk scoring
Do not use for behavioral TTP analysis without accompanying technical indicators; use MITRE ATT&CK mapping for behavioral characterization.
Prerequisites
- Access to incident evidence sources: SIEM logs, EDR telemetry, memory dumps, disk images, network captures
- Threat intelligence platform (MISP, OpenCTI, ThreatConnect) for IOC management and sharing
- IOC enrichment tools: VirusTotal, OTX (AlienVault Open Threat Exchange), Shodan, DomainTools
- STIX 2.1 knowledge for structured IOC representation
- Sharing agreements with relevant ISACs (FS-ISAC, H-ISAC, IT-ISAC) or sector partners
Workflow
Step 1: Identify IOC Categories
Collect indicators across all categories from incident evidence:
Network Indicators:
- IP addresses (C2 servers, staging servers, exfiltration destinations)
- Domain names (C2 domains, phishing domains, DGA domains)
- URLs (malware download, C2 check-in, exfiltration endpoints)
- JA3/JA3S hashes (TLS client/server fingerprints)
- User-Agent strings (custom or unusual HTTP headers)
- DNS query patterns (tunneling signatures, DGA patterns)
Host Indicators:
- File hashes (MD5, SHA-1, SHA-256 of malware, tools, scripts)
- File paths (known malware installation directories)
- Registry keys (persistence mechanisms, configuration storage)
- Scheduled tasks and service names (persistence)
- Mutex/event names (malware instance synchronization)
- Named pipes (C2 communication channels, e.g., Cobalt Strike)
Email Indicators:
- Sender addresses and domains (spoofed or attacker-controlled)
- Subject lines and body content patterns
- Attachment names and hashes
- Embedded URLs
- Email header anomalies (SPF/DKIM/DMARC failures)
Step 2: Extract IOCs from Evidence Sources
Systematically extract indicators from each evidence source:
From SIEM/Log Analysis:
# Extract unique destination IPs from firewall logs
index=firewall action=blocked
| stats count by dest_ip
| where count > 100
# Extract domains from DNS query logs
index=dns query=*evil* OR query=*c2*
| stats count by query
From Memory Forensics:
# Extract network connections
vol -f memory.raw windows.netscan | grep ESTABLISHED
# Extract strings from suspicious process memory
vol -f memory.raw windows.memmap --pid 3847 --dump
strings -n 8 pid.3847.dmp | grep -E "(http|https)://"
From Malware Analysis:
Sandbox Report IOC Extraction:
- Dropped files: 3 (hashes extracted)
- DNS queries: update.evil[.]com, cdn.malware[.]net
- HTTP connections: POST to https://185.220.101[.]42/gate.php
- Registry modified: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svcupdate
- Mutex created: Global\MTX_0x1234ABCD
- Named pipe: \\.\pipe\MSSE-1234-server
Step 3: Enrich IOCs with Context
Add threat intelligence context to each indicator:
IOC Enrichment Report:
━━━━━━━━━━━━━━━━━━━━━
IP: 185.220.101.42
VirusTotal: 12/89 vendors flag as malicious
Shodan: Open ports: 443, 8443, 80
Geolocation: Netherlands, AS208476
First Seen: 2025-10-01
Threat Intel: Associated with Qakbot C2 infrastructure
Confidence: High
TLP: AMBER
Domain: update.evil[.]com
Registration: 2025-10-28 (recently registered)
Registrar: Namecheap
WHOIS Privacy: Yes
VirusTotal: 8/89 vendors flag as malicious
DNS History: Resolved to 185.220.101.42, 91.215.85.17
Confidence: High
TLP: AMBER
Step 4: Score and Prioritize IOCs
Assign confidence and risk scores to each indicator:
| Score | Confidence Level | Criteria |
|---|---|---|
| 90-100 | Confirmed Malicious | Multiple TI sources confirm, observed in active attack |
| 70-89 | Highly Suspicious | Single TI source confirms, behavioral analysis supports |
| 50-69 | Suspicious | Limited TI data, contextually suspicious |
| 30-49 | Unconfirmed | No TI matches, but anomalous in environment |
| 0-29 | Likely Benign | False positive indicators or legitimate infrastructure |
Step 5: Distribute IOCs for Detection and Blocking
Push IOCs to defensive systems for immediate protection:
- Firewall/IPS: Block C2 IPs and domains
- DNS: Sinkhole malicious domains
- EDR: Add file hashes to blocklist, create custom IOC watchlists
- Email Gateway: Block sender domains, attachment hashes, malicious URLs
- SIEM: Create correlation searches for IOC matches
- Web Proxy: Block URLs and domains in web filtering policy
Step 6: Share IOCs with Partners
Package IOCs in STIX 2.1 format for sharing:
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"created": "2025-11-15T18:00:00Z",
"modified": "2025-11-15T18:00:00Z",
"name": "Qakbot C2 Server IP",
"indicator_types": ["malicious-activity"],
"pattern": "[ipv4-addr:value = '185.220.101.42']",
"pattern_type": "stix",
"valid_from": "2025-11-15T14:23:00Z",
"confidence": 95,
"labels": ["c2", "qakbot"],
"object_marking_refs": ["marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"]
}
Submit to MISP, ISAC portals, and TAXII servers per sharing agreements.
Key Concepts
| Term | Definition |
|---|---|
| IOC (Indicator of Compromise) | Technical artifact observed during a security incident that indicates adversary presence (hash, IP, domain, etc.) |
| TLP (Traffic Light Protocol) | Standard for classifying the sharing restrictions of threat intelligence: WHITE, GREEN, AMBER, AMBER+STRICT, RED |
| STIX (Structured Threat Information Expression) | Standard language for representing cyber threat intelligence in a structured, machine-readable format |
| TAXII (Trusted Automated Exchange of Intelligence Information) | Transport protocol for sharing STIX-formatted threat intelligence between organizations |
| Confidence Score | Numerical rating (0-100) indicating the analyst's certainty that an indicator is truly malicious |
| IOC Lifecycle | Process of creating, validating, distributing, and eventually retiring indicators as they lose relevance |
| Defanging | Practice of modifying malicious URLs and domains in reports to prevent accidental clicks (e.g., evil[.]com) |
Tools & Systems
- MISP: Open-source threat intelligence sharing platform for managing, storing, and distributing IOCs
- VirusTotal: Multi-engine malware scanning and threat intelligence platform for IOC enrichment
- OpenCTI: Open-source cyber threat intelligence platform supporting STIX 2.1 natively
- Yeti: Open-source platform for organizing observables, indicators, and TTPs
- CyberChef: GCHQ's data transformation tool useful for decoding, defanging, and formatting IOCs
Common Scenarios
Scenario: Post-Incident IOC Package for ISAC Sharing
Context: After responding to a Qakbot infection that led to Cobalt Strike deployment, the IR team must package all IOCs for sharing with the Financial Services ISAC (FS-ISAC).
Approach:
- Compile all network, host, and email indicators from the investigation
- Enrich each IOC with VirusTotal and MISP correlation data
- Assign confidence scores based on direct observation vs. secondary correlation
- Mark all IOCs with TLP:AMBER for partner sharing
- Export as STIX 2.1 bundle and submit to FS-ISAC TAXII feed
- Create a human-readable IOC summary report for email distribution
Pitfalls:
- Including internal IP addresses or hostnames in shared IOC packages (information leakage)
- Sharing IOCs at TLP:WHITE that should be restricted to TLP:AMBER
- Not defanging URLs and domains in human-readable reports
- Sharing IP addresses of legitimate CDNs or cloud providers as malicious IOCs
Output Format
INDICATOR OF COMPROMISE REPORT
================================
Incident: INC-2025-1547
Date: 2025-11-15
TLP: AMBER
Sharing: FS-ISAC, internal SOC
NETWORK INDICATORS
Type | Value | Confidence | Context
---------|--------------------------|------------|--------
IPv4 | 185.220.101[.]42 | 95 | Qakbot C2 server
IPv4 | 91.215.85[.]17 | 90 | Cobalt Strike C2
Domain | update.evil[.]com | 95 | Staging domain
URL | hxxps://185.220[.]101.42/gate.php | 95 | C2 check-in
JA3 | a0e9f5d64349fb13191bc7...| 80 | Qakbot TLS fingerprint
HOST INDICATORS
Type | Value | Confidence | Context
---------|--------------------------|------------|--------
SHA-256 | a1b2c3d4e5f6... | 100 | Qakbot dropper
SHA-256 | b2c3d4e5f6a7... | 100 | Cobalt Strike beacon
FilePath | C:\Users\*\AppData\Local\Temp\update.exe | 85 | Dropper location
RegKey | HKCU\...\Run\svcupdate | 90 | Persistence
Mutex | Global\MTX_0x1234ABCD | 95 | Qakbot instance lock
Task | WindowsUpdate | 90 | Scheduled task persistence
EMAIL INDICATORS
Type | Value | Confidence | Context
---------|--------------------------|------------|--------
Sender | billing@spoofed[.]com | 95 | Phishing sender
Subject | "Invoice-Nov2025" | 70 | Phishing subject line
Hash | c3d4e5f6a7b8... | 100 | Malicious .docm attachment
TOTAL: 14 indicators | HIGH confidence avg: 91