Fundamentals
Indicators: IoC, IoA, and TTP
A practical guide to IoCs (Indicators of Compromise), IoAs (Indicators of Attack), and TTPs (Tactics, Techniques, Procedures) — the Pyramid of Pain, how each type is used in detection, operationalization priorities, and how to move up the pyramid.
View on Graph
What IoCs, IoAs, and TTPs Are
- Indicators of Compromise (IoCs) are forensic artifacts that suggest a system has been compromised — file hashes, IP addresses, domain names, registry keys, filenames, mutex names. They are the most common indicator type but also the easiest for attackers to change.
- Indicators of Attack (IoAs) are behavioral patterns observed during an attack — a process injecting into another process, a beaconing pattern in network traffic, an anomalous privilege escalation. IoAs detect the attack while it is happening rather than after the fact.
- Tactics, Techniques, and Procedures (TTPs) are the adversary’s operational methods mapped to frameworks like MITRE ATT&CK. Detecting TTPs means recognizing the behavior itself — “someone is performing credential dumping via
T1003” — rather than looking for specific artifacts.
The Pyramid of Pain
The Pyramid of Pain, developed by David Bianco, maps indicator types from easiest for the attacker to change (bottom) to hardest (top):
| Level | Indicator Type | Cost to Attacker | Examples |
|---|---|---|---|
| 6 — TTPs | Tactics, Techniques, Procedures | Very painful — must change their entire approach | Process injection (T1055), Credential dumping (T1003) |
| 5 — Tools | Adversary tooling | Painful — must develop new tools | Cobalt Strike, Mimikatz, BloodHound |
| 4 — Network Artifacts | Network-level patterns | Uncomfortable — must change C2 infrastructure patterns | JA3 fingerprints, URI patterns, C2 protocol variations |
| 3 — Host Artifacts | Host-level traces | Annoying — must change file/registry patterns | Specific registry keys, file paths, mutex names |
| 2 — Domain Names | DNS artifacts | Simple — spin up new domains | C2 domain names, phishing URLs |
| 1 — IP Addresses | Network addresses | Easy — change IP | C2 server IPs |
| 0 — Hash Values | File hashes | Trivial — recompile with a single byte change | SHA256 of malware samples |
The principle: As you move up the pyramid, the defender gains more leverage. A hash blocklist (level 0) costs the attacker seconds to bypass. A TTP detection rule (level 6) forces the attacker to fundamentally change their approach.
IoCs — Indicators of Compromise
IoCs are the most widely used detection artifacts. They answer the question: “Has this exact artifact been seen in my environment?”
Types of IoCs
| IoC Type | Example | Persistence | Evasion Difficulty |
|---|---|---|---|
| File hash (SHA256) | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | Hash never changes for the same file | Trivial — add NOP slide, recompile |
| IP address | 185.220.101.45 | May change hourly with C2 rotation | Easy — botnet rotates IPs |
| Domain name | evil-c2.example.com | Days to weeks | Easy — new domain registration |
| URL/path | http://evil.com/payload.exe | May change per campaign | Easy — change filename |
| Registry key | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware | Persists until cleaned | Moderate — must install to registry |
| Mutex name | Global\MSCTF.Asm.System | Unique per variant | Moderate — obfuscated by some malware |
| Certificate serial | 04:DE:AD:BE:EF:CA:FE:00 | Per signed binary | Hard — requires new code signing cert |
IoC Limitations
- Short shelf life: Most IPs and domains have a lifespan of hours to days
- Reactive: You already had to be compromised to collect the indicator
- False sense of coverage: Blocking 10,000 hash values gives little protection against polymorphic malware
- Volume: Good threat intel feeds produce 100K+ indicators — alert fatigue is real
IoAs — Indicators of Attack
IoAs shift from “what is this artifact” to “what is this behavior doing.” They detect attacks in progress rather than artifacts left behind.
IoA Categories
| Category | What It Detects | Example |
|---|---|---|
| Process injection | One process injecting code into another | CreateRemoteThread to explorer.exe |
| Privilege escalation | Unauthorized elevation of privileges | Token manipulation, UAC bypass |
| Credential dumping | Accessing LSASS process memory | MiniDumpWriteDump on lsass.exe |
| Persistence establishment | Malware maintaining foothold across reboots | New service, Run key, scheduled task |
| Lateral movement | Remote service creation or admin share access | PsExec, WMI, WinRM |
| Data staging | Collection of sensitive files before exfiltration | Accessing finance documents from non-finance user |
| C2 beaconing | Regular network check-ins | Consistent 60-second intervals to single IP |
| Discovery | Reconnaissance of the environment | net user /domain, whoami /all, dsquery |
IoA vs IoC — The Key Difference
| Dimension | IoC | IoA |
|---|---|---|
| Detection timing | Post-compromise (artifact left behind) | During-compromise (behavior in progress) |
| Attacker evasion | Trivial (change hash) | Difficult (must change technique) |
| False positive rate | Low (exact match) | Moderate (behavioral matching) |
| Investigation depth | Simple — block the indicator | Complex — requires understanding the technique |
| Examples | C:\Windows\Temp\svchost.exe exists | Process named svchost.exe is making outbound HTTP connections |
SPL — IoA detection for LSASS access (credential dumping):
index=windows sourcetype=WinEventLog:Sysmon EventCode=10
| search TargetImage="*lsass.exe" GrantedAccess="0x1010" OR GrantedAccess="0x1410"
| stats count, values(SourceImage) as SourceProcesses by TargetImage, Computer
| where count > 0
| eval alert = "CREDENTIAL THEFT IoA — " . SourceProcesses . " accessed lsass.exe with suspicious access mask on " . Computer
| table _time, Computer, SourceProcesses, count, alertTTPs — Tactics, Techniques, and Procedures
TTPs describe how an adversary operates. Detecting at the TTP level means recognizing the attacker’s playbook, not just their tools or artifacts.
MITRE ATT&CK Framework
| Tactic (Why) | Technique (How) | Procedure (Specific Implementation) |
|---|---|---|
TA0006 Credential Access | T1003.001 LSASS Memory | Mimikatz sekurlsa::logonpasswords |
TA0005 Defense Evasion | T1055.012 Process Hollowing | Replace svchost.exe process memory with shellcode |
TA0008 Lateral Movement | T1021.002 SMB/Admin Shares | net use \\target\ADMIN$ /user:Domain\Admin Pass123 and drop payload |
TA0011 Command and Control | T1071.001 Web Protocols | HTTP beacon every 60s with cookies containing encrypted data |
How to Detect at the TTP Level
| ATT&CK Technique | Behavioral Detection | Tool |
|---|---|---|
T1003.001 LSASS Memory | Process opening a handle to LSASS with PROCESS_VM_READ | Sysmon Event ID 10 |
T1055.001 DLL Injection | Process calls CreateRemoteThread to inject a DLL | Sysmon Event ID 8 |
T1059.001 PowerShell | PowerShell creating a runspace with -EncodedCommand | PowerShell logging (ScriptBlock logging) |
T1071.001 Web Protocols | Beacon timing pattern in netflow data | RITA, Zeek, SIEM correlation |
T1021.002 SMB Lateral Movement | Event ID 5140 (file share access) from non-file server to ADMIN$ | Windows Security log |
T1562.001 Disable AV | Stopping or disabling Windows Defender | Event ID 5000, 5001 (Defender state change) |
Operationalizing — Moving Up the Pyramid
Current State Assessment
| Detection Level | Typical Maturity | Effort to Implement |
|---|---|---|
| Hash blocklists | Every SOC has them | Low |
| IP/domain blocklists | Most SOCs have them | Low |
| Host artifact rules | Mature SOCs | Medium |
| Network artifact rules | Mature SOCs | Medium |
| Tool-behavioral detection | Advanced SOCs | High |
| TTP-level detection | Advanced SOCs + Purple Team | High |
Practical Steps to Move Up
| From (Level) | To (Level) | How |
|---|---|---|
| Hash blocklist → Host artifact | Create YARA rules that detect malware characteristics (sections, strings, structure) rather than exact hashes | |
| IP blocklist → Network artifact | Write Snort/Suricata rules based on C2 protocol behavior (packet size, timing, TCP flags) | |
| Single IoC → Contextual IoA | Correlate multiple data sources — file creation + network connection + registry change in the same process tree | |
| IoA → TTP | Map behavioral detections to MITRE ATT&CK techniques. Write rules that say “if this technique pattern fires, it’s likely APT group X” | |
| Tool-specific → Generic TTP | Instead of “detect Mimikatz” write “detect any process reading LSASS memory” |
SPL — TTP Detection for Credential Dumping (Generic)
index=windows sourcetype=WinEventLog:Sysmon
| search EventCode=10 TargetImage="*lsass.exe"
| lookup suspicious_access_masks.csv GrantedAccess OUTPUT label
| search label != ""
| eval alert = "TTP DETECTION (T1003.001): " . SourceImage . " accessed lsass.exe — possible credential dumping"
| table _time, Computer, SourceImage, TargetImage, GrantedAccess, label, alert
| sort 0 _timeRelated
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Kill Chain — covers the kill chain concepts
- Living-off-the-Land Binaries — how living-off-the-land binaries attacks work and how to detect them
- Process Injection (T1055) — detection and response for T1055 techniques
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques