Indicators of Compromise or Attack

• Indicators of Compromise are data on a system which indicates it may have been compromised or hacked.
  • For example, in Active Directory an IOC might be an AD account with domain-admin privileges and no username (or an unusual/disguised username)
• Indicators of Attack are data on a system which indicates it may have been attacked
  • For example, dozens of failed login attempts to a single user account.
• In MITRE ATT&CK, Detections might include IOCs or Indicators of Attack

Metadata

Sources

Tags

#defs_sec