Advanced Defense (Blue Team)

Indicators of Compromise (IOC)

Indicators of Compromise (IOCs) are observable artifacts that evidence malicious activity. When an analyst finds an IOC, they can correlate it across systems, block it in the infrastructure, and share it with the community.

Types of IOC

Confidence level (most to least stable):

  File hash        ─── High stability (attacker must recompile)
  IP address       ─── Medium (can change quickly)
  Domain/URL       ─── Medium (registered fast, discarded fast)
  TLS certificate  ─── High (rare to rotate)
  Mutex/Named pipe ─── High (hardcoded in malware)
  Traffic pattern  ─── High (C2 behavior)
  File path        ─── Low (easy to change)

David Bianco’s “Pyramid of Pain”: behavioral IOCs (TTPs) cause more pain to the attacker when detected than simple hashes.

File hashes

# Calculate hash of suspicious file
sha256sum /tmp/document.exe
# Output: e3b0c44298fc1c149... /tmp/document.exe

md5sum /tmp/document.exe
# Output: d41d8cd98f00b204e... /tmp/document.exe

# Check against IOC database (VirusTotal CLI)
vt file /tmp/document.exe

Share only SHA-256 in reports. MD5 and SHA-1 have known collisions.

Malicious IPs and domains

# Check IP against reputation feeds
curl -s "https://otx.alienvault.com/api/v1/indicators/IPv4/203.0.113.9/reputation"

# Block IP on internal firewall (lab environment)
iptables -I INPUT -s 203.0.113.9 -j DROP

# Check domain via DNS Sinkhole
dig @8.8.8.8 evil-c2.example.com

Free feed sources: AlienVault OTX, Abuse.ch, Spamhaus, MalwareBazaar, URLhaus.

Sharing formats

STIX 2.1 (Structured Threat Information Expression):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--a8f67b2c-...",
  "name": "Malware hash — Emotet loader",
  "pattern": "[file:hashes.'SHA-256' = 'e3b0c44298fc1c149...']",
  "pattern_type": "stix",
  "valid_from": "2026-06-25T00:00:00Z",
  "labels": ["malicious-activity"]
}

TAXII is the transport protocol for automated exchange of STIX feeds between platforms.

YARA rules

YARA identifies malware by patterns in bytes, strings, or file structure.

rule Emotet_Loader_2026 {
    meta:
        description = "Detects Emotet loader variant — analysis environment"
        author      = "Blue Team Lab"
        date        = "2026-06-25"

    strings:
        $s1 = "GlobalMutex_Emotet" ascii
        $s2 = { 60 89 E5 31 C0 64 8B 50 30 }  // loader byte sequence
        $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide

    condition:
        uint16(0) == 0x5A4D and  // PE header (MZ)
        filesize < 500KB and
        2 of ($s1, $s2, $s3)
}
# Run YARA against suspicious directory
yara -r rules/emotet.yar /mnt/analysis/

# Integrate with EDR via ClamAV (convert YARA to signature)
sigtool --yara-to-ldb=emotet.yar > emotet.ldb

IOC management with MISP

MISP (Malware Information Sharing Platform) is the standard open-source platform for IOC management and sharing.

MISP flow:
  Analyst discovers IOC


  Creates event in MISP (TLP classification: Green, Amber, Red)


  Distributes to trusted community (ISAC, partners)


  Platforms consume via API and block automatically

IOC quality

A poorly generated IOC pollutes feeds and causes false positives. Checklist:

  [ ] Hash computed over confirmed malicious file (not merely suspicious)
  [ ] IP/domain validated — not legitimate compromised infrastructure
  [ ] Context documented: campaign, date, confidence level
  [ ] TLP defined — controls who can receive it
  [ ] Expiry date set — outdated IOCs without review cause noise