Attack Indicators
Indicators of Compromise (IOCs) — observable artifacts that indicate a system may have been compromised.
Indicators of Malware Attacks
File / Disk Indicators
- Unexpected executables in temp folders (%TEMP%, /tmp, AppData\Roaming)
- Files with double extensions: invoice.pdf.exe
- Files named like system files but in wrong directory (svchost.exe in C:\Users)
- Sudden large volume of encrypted files (ransomware)
- Modified or deleted system files
- New or modified scheduled tasks / cron jobs / autorun entriesProcess Indicators
- Processes spawned from unexpected parents (Word spawning cmd.exe)
- High CPU/memory usage from unknown processes
- Processes with no associated file on disk (fileless malware)
- Rundll32, regsvr32, mshta, wscript, cscript running with unusual arguments
- PowerShell with Base64-encoded commands or -EncodedCommand flagRegistry Indicators (Windows)
Persistence keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\System\CurrentControlSet\Services ← malicious service
Suspicious: Unknown entries, encoded values, random-looking key namesNetwork Indicators
- Unexpected outbound connections (C2 callbacks)
- Beaconing: regular intervals of outbound traffic to the same IP
- DNS queries for random/DGA (Domain Generation Algorithm) domains
- Traffic to known malicious IPs / Tor exit nodes
- Large outbound data transfers (exfiltration)Indicators of Physical Attacks
Access control / tampering:
- Forced, damaged, or bypassed door locks
- Tamper-evident seals broken on devices or server racks
- Unauthorized hardware plugged in (USB, keylogger, rogue AP)
- Cameras obstructed or repositioned
- Missing or swapped hardware components
Social engineering physical indicators:
- Unfamiliar person in restricted area
- Tailgating through access-controlled doors
- Shoulder surfing near workstations
- Dumpster or recycling bin contents disturbed
Device indicators:
- BIOS/UEFI settings changed
- Boot order modified
- Hardware keylogger between keyboard and PC
- Unknown USB devices in portsIndicators of Network Attacks
Scanning / Reconnaissance
- Port scans: many SYN packets, ICMP sweeps from a single source
- DNS zone transfer attempts
- Unusual number of 404 / 403 errors (web enumeration)
- Spike in failed authentication attempts across networkOn-Path / MITM
- ARP table anomalies (multiple IPs → same MAC, or MAC changes suddenly)
- SSL/TLS certificate warnings
- Unexpected SSL interception proxies in the path
- Duplicate IP addresses on the networkDDoS / DoS
- Dramatic spike in inbound traffic volume
- Many connections from diverse IPs to same port
- Service degradation or unavailability
- Bandwidth saturation on edge links
- Amplification traffic: DNS, NTP, SSDP response floodsExfiltration
- Unusual large outbound transfers (especially after hours)
- Traffic to cloud storage not used before (Mega, Dropbox)
- DNS tunneling: abnormally long DNS queries / high DNS query rate
- ICMP tunneling: unusually large ICMP payloads
- Encrypted traffic to unknown endpointsIndicators of Application Attacks
Injection Attacks
- Web logs showing SQL syntax in parameters: ' OR 1=1--, UNION SELECT
- Unexpected database errors in app logs
- XSS payloads in URL params: <script>alert(1)</script>
- Command injection: ; ls, && cat /etc/passwd in input fieldsAuthentication / Authorization
- Spike in failed logins (brute force / credential stuffing)
- Login attempts from unusual geographies or IPs
- Account lockouts across multiple users simultaneously
- Privilege escalation — user accessing resources outside their role
- JWT token reuse or manipulationApplication Behavior
- Unexpected file writes or execution in web root
- New admin accounts created without change request
- Application spawning shell processes (RCE indicator)
- Memory usage spikes / crashes (buffer overflow attempts)
- Unexpected outbound connections from app serversIndicators of Cryptographic Attacks
Downgrade attack indicators:
- TLS 1.0 / SSL 3.0 negotiated despite server supporting TLS 1.2+
- BEAST / POODLE — server accepts CBC cipher suites with SSLv3
- Forced renegotiation in logs
Collision / birthday attack indicators:
- MD5 or SHA-1 still in use for digital signatures or certificates
- Duplicate hash values for different inputs
Weak key indicators:
- Short RSA keys (< 2048-bit)
- Use of deprecated algorithms: DES, RC4, MD5 for integrity
- Default or hardcoded encryption keys in code/config
Certificate issues:
- Self-signed certificates in production
- Certificates with long validity (> 2 years post-2020)
- Certificates from unknown / untrusted CAsIndicators of Password Attacks
Brute Force / Dictionary
- Repeated failed logins from same IP or user account
- Account lockouts triggering across multiple accounts
- High volume of authentication requests in short time
- Login attempts at unusual hoursCredential Stuffing
- Login attempts using known breached credential combos
- Logins from IPs flagged in threat intel feeds
- Multiple accounts locked out simultaneously
- Successful logins followed immediately by suspicious activityPass-the-Hash / Pass-the-Ticket (Windows)
- Lateral movement using NTLM hashes without knowing plaintext password
- Mimikatz artifacts: lsass.exe accessed/dumped
- Use of built-in Windows tools for lateral movement (PsExec, WMI, RDP)
- Event IDs: 4624 (logon type 3), 4648 (explicit credentials)Kerberoasting / AS-REP Roasting
- Large number of Kerberos TGS requests for service accounts
- SPN enumeration from non-privileged accounts
- Event ID 4769 with encryption type 0x17 (RC4) — classic Kerberoast indicator