Nice — here’s a compact, practical reference you can use for detection, hunting and response: what IoCs are, the common attack patterns they map to (MITRE ATT&CK), concrete observables to watch for, example rules/queries (Sigma, YARA, Splunk, KQL) and an operational checklist / quick playbook.

What is an IoC (Indicator of Compromise)

An IoC is a technical observable (or a logical pattern of observables) that, when seen in your environment, suggests malicious activity or compromise — e.g., a file hash, IP address, domain, suspicious process parent/child relationship, registry key, YARA signature, etc. IoCs are most useful when enriched with context (who, where, time, threat actor & campaign).

High‑level attack patterns (common stages / MITRE ATT&CK mapping)

These are the recurring attacker behaviors you should model detectors and hunts around:

• Initial access: phishing, malicious web downloads, exposed RDP. (ATT&CK: Initial Access)
• Execution: script or binary execution (powershell, wscript, rundll32). (Execution)
• Persistence: scheduled tasks, services, registry Run keys. (Persistence)
• Privilege escalation: token manipulation, vulnerable service installs. (Privilege Escalation)
• Lateral movement: remote service misuse, SMB, WMI, RDP. (Lateral Movement)
• Credential access: credential dumping, keyloggers. (Credential Access)
• Defense evasion: timestomping, obfuscation, disabling logs. (Defense Evasion)
• Command & Control (C2): beacons to C2 IPs/domains, unusual DNS. (C2)
• Exfiltration: unusual outbound transfers, odd data staging. (Exfiltration)

Use the MITRE ATT&CK matrix to map techniques to detections and controls.

Concrete IoC types & examples to track

Network

• Destination IPs / ports that are unusual or on threat feeds
• Domains and full URLs (especially newly registered or homograph domains)
• Unusual DNS queries (large TXT requests, domains with high entropy) Host
• File hashes (SHA256)
• Suspicious filenames/paths (e.g., %TEMP%\<random>.exe, C:\Windows\Tasks\* created by non-admin user)
• New or changed services, scheduled tasks, driver loads
• Registry Run keys / WMI persistence entries Logs / Behavioural
• Process parent/child anomalies (e.g., explorer.exe spawning cmd.exe with encoded args)
• Unusual PowerShell command lines / encoded commands
• New network connections from uncommon processes (Office app creating outbound TCP to remote IP) Artifacts / Signatures
• YARA signatures for family strings
• Mutex names created by malware
• SSL certificate fingerprints used by C2

(Cloud-specific IoCs also include IAM policy changes, suspicious API calls, new external storage buckets, and unusual console logins).

Useful Windows event sources & Sysmon events to enable

(Use an EDR + central SIEM to collect these)

• Sysmon Event ID 1 – ProcessCreate (very high value for process lineage).
• Sysmon Event ID 3 – Network connection (maps processes to outbound connections).
• File creation / file write events (can show payload drops).
• Event logs for service creation, scheduled tasks, driver loads

Example detection / hunting artefacts (copy‑pasteable)

Sigma (conceptual Sigma rule — adapt to your SIEM)

title: Suspicious PowerShell Encoded Command
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-EncodedCommand'
  condition: selection
level: high

(Translate Sigma to Splunk/Elastic using your toolchain.)

YARA (simple example)

rule Suspicious_Dropper_String {
  meta:
    author = "Analyst"
    description = "Detects suspicious dropper string"
  strings:
    $s1 = "CreateRemoteThread" ascii
    $s2 = "VirtualAllocEx" ascii
  condition:
    (any of ($s*))
}

(Use YARA on file stores / malware sandboxes.)

Splunk example (hunt for Office spawning cmd with URL)

index=wineventlog EventCode=1 AND Image="*\\WINWORD.EXE" 
| search CommandLine="*http*"
| table _time, host, User, Image, ParentImage, CommandLine, DestinationIp

Elastic/KQL example (processes making external connections)

process.name: "powershell.exe" and network.direction: "outbound" and not process.parent.name: "explorer.exe"

Prioritization guidance for IoCs

• High priority: confirmed hashes from threat intel, known C2 IPs/domains tied to active campaigns, newly created privileged accounts, process creation with suspicious parent/child combos.
• Medium: suspicious but common noisy events (unusual ports, certain DNS anomalies).
• Low: stale IoCs (old hashes) — verify provenance & TTL from feed.

Quick incident playbook (short)

1. Detect — trigger from SIEM/EDR when IoC matches (process create, network connection, YARA hit).
2. Triage — capture host snapshot, process tree, network connection list, user context, timeline.
3. Contain — isolate host or block IP/domain at perimeter; disable compromised credentials.
4. Eradicate — remove malicious files, uninstall persistence mechanisms, rotate credentials, patch exploited vector.
5. Recover — restore from clean backups, validate system integrity, strengthen monitoring.
6. Hunt & Lessons — scour other hosts for same IoCs, tune detection rules, update playbooks and blocklists.

Operational tips

• Always enrich atomic IoCs with context: first seen, source feed, confidence, associated campaign, affected assets.
• Use behavioral detections (process lineage, anomalous network patterns) in addition to atomic indicators — attackers frequently change file hashes and domains.
• Maintain automated ingestion of quality feeds and implement TTL/expiration to avoid stale blocking.