Indicators of Compromise#
Reference catalog of the indicator types that show up in CTI
feeds, detections, hunts, and incident-response notes. Each row
gives the indicator, what it identifies, a regex pattern an
operator can use to extract it from logs / text, and one or two
real-world examples. Patterns are PCRE-flavoured (Perl /
PHP / Python re compatible); adjust anchors and word
boundaries when wrapping into grep -E (escape {}) or
ripgrep.
For tooling that consumes these patterns at scale, see
YARA (file content), Sigma (log queries), and
STIX 2.1 indicator objects.
Network#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
IPv4 address |
Host on an IP network. |
|
|
IPv4 CIDR |
Network block / subnet. |
|
|
IPv6 address |
Host on an IPv6 network (loose form). |
|
|
MAC address |
Layer-2 hardware address. |
|
|
FQDN / hostname |
DNS-resolvable name. |
|
|
Defanged domain |
Common CTI-share-safe form. |
|
|
URL |
Resource locator. |
|
|
Defanged URL |
URL with neutered scheme / dots. |
|
|
Email address |
Mailbox. |
|
|
ASN |
Autonomous System number. |
|
|
Port |
TCP / UDP port number (1-65535). |
|
|
User-Agent |
HTTP client signature. |
|
|
JA3 / JA3S fingerprint |
TLS client / server fingerprint. |
|
|
JARM fingerprint |
TLS server JARM (62-char). |
|
|
File#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
MD5 hash |
128-bit message digest (legacy). |
|
|
SHA-1 hash |
160-bit digest (legacy). |
|
|
SHA-256 hash |
256-bit digest (primary IOC form). |
|
|
SHA-384 hash |
384-bit digest. |
|
|
SHA-512 hash |
512-bit digest. |
|
|
ssdeep fuzzy hash |
Context-triggered piecewise hash. |
|
|
imphash |
PE import-table hash (MD5). |
|
|
PE rich header hash |
Rich-header-derived fingerprint. |
|
|
Filename (Windows) |
File-system filename. |
|
|
File path (Windows) |
Absolute path. |
|
|
File path (POSIX) |
Absolute path on Linux / macOS. |
|
|
Mutex / named pipe |
Inter-process synchronization name. |
|
|
Process / Host#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
Windows registry key |
HKEY tree path. |
|
|
Service name (Windows) |
SCM service. |
|
|
Scheduled task path |
Task-scheduler path. |
|
|
PowerShell EncodedCommand |
Base64-encoded PS payload. |
|
|
WMI EventConsumer |
WMI-persistence stub. |
|
|
LOLBin name |
Living-off-the-land binary. |
|
|
Identity#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
Username (SAM) |
Local Windows account name. |
|
|
UPN / domain user |
DOMAINuser or user@upn. |
|
|
SID (Windows) |
Security identifier. |
|
|
GUID / UUID |
Globally unique identifier. |
|
|
JWT |
JSON Web Token. |
|
|
AWS access key ID |
IAM credential prefix. |
|
|
AWS secret access key |
40-char secret (often quoted). |
|
|
GCP service-account key |
JSON file private-key field. |
|
|
Slack bot token |
Slack OAuth bot token. |
|
|
GitHub PAT (classic) |
Personal access token. |
|
|
GitHub PAT (fine-grained) |
2022+ fine-grained PAT. |
|
|
Crypto / Web3#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
Bitcoin address (Base58) |
Legacy P2PKH (1…) or P2SH (3…). |
|
|
Bitcoin address (Bech32) |
Native SegWit (bc1…). |
|
|
Ethereum address |
EVM account / contract. |
|
|
Monero address |
95-char Base58 (4… or 8…). |
|
|
Solana address |
32-44 char Base58 (no leading 0). |
|
|
PGP fingerprint |
40-char hex (with optional spaces). |
|
|
Detection / catalog#
Indicator |
Identifies |
Regex |
Example |
|---|---|---|---|
CVE |
Common Vulnerabilities and Exposures. |
|
|
CWE |
Common Weakness Enumeration. |
|
|
CAPEC |
Common Attack Pattern Enumeration. |
|
|
MITRE ATT&CK technique |
Technique / sub-technique. |
|
|
MITRE ATT&CK tactic |
Tactic identifier. |
|
|
MITRE ATT&CK group |
Threat-actor group. |
|
|
MITRE ATT&CK software |
Tool / malware family. |
|
|
MITRE ATT&CK mitigation |
Defensive control. |
|
|
MITRE ATT&CK data source |
Data-source ID. |
|
|
YARA rule name |
Identifier inside |
|
|
Sigma rule id (UUID) |
|
|
|
STIX 2.1 indicator id |
STIX SDO identifier. |
|
|
CVSS v3 vector |
Severity-vector string. |
|
|
CVSS v4 vector |
2023+ vector form. |
|
|
Pivots#
From |
To |
|---|---|
SHA-256 |
VirusTotal ( |
Domain |
urlscan.io ( |
IPv4 |
Shodan ( |
JA3 |
SSLBL JA3 db, JA3er, Salesforce ja3 hash db. |
YARA hit |
Malpedia / MalwareBazaar tag, Mandiant family page, related YARA on YARAify. |
Crypto address |
Chainalysis Public Tools ( |
References#
STIX 2.1 specification, authoritative indicator-typing.
MISP Indicator Types, practical superset.
MITRE ATT&CK, technique catalog.
MalwareBazaar (abuse.ch), sample exchange, family tags.
URLhaus, live distribution URLs.
ThreatFox, per-family IOCs.
Sigma, generic log-query signature format.
YARA, the pattern format for file-content rules.
Malware, the family catalog these IOCs annotate.
Hacker Groups, the operating crews.
MITRE ATT&CK, the cross-walk catalog.