Skip to content
APT Intelligence -- IOC vs IOA

IOC vs IOA Reference

Why APTs deliberately rotate IOCs to defeat signature-based detection -- and why behavioural detection (IOA) is essential for catching nation-state actors. Practical examples of each, with detection logic for IOAs.

IOC -- Indicator of Compromise

Forensic artefacts proving a breach occurred

Static, specific, and fragile. Once known, an APT actor can change them in minutes. An APT group can generate thousands of new C2 domains per campaign.

Examples

192.168.1.1 (C2 IP)
malware.exe (file hash)
evil.com (C2 domain)
d41d8cd98f00b... (MD5 hash)
HKCU\...\Run\MalKey (registry)
Lifespan: Hours to days. APT C2 IP changed -- detection fails immediately. Sidewinder operates hundreds of C2 domains and rotates them continuously.

IOA -- Indicator of Attack

Behavioural patterns revealing attacker intent

Durable, behavioural, and hard to change. An APT cannot change their core TTPs without retraining their entire team. The way Sidewinder uses EQNEDT32 has not changed since 2017.

Examples

EQNEDT32.EXE spawning cmd.exe
Office app making outbound HTTP
PowerShell -enc from Office process
LSASS accessed by non-AV process
ntdsutil.exe with IFM argument
Lifespan: Months to years. The pattern "Office spawns PowerShell spawns download" has been used by multiple APT groups for 7+ years with minimal variation.

The Pyramid of Pain

David Bianco's Pyramid of Pain describes how difficult it is for an attacker to change each type of indicator. Higher in the pyramid = more painful for the attacker if detected.

Hash Values
Malware file hashes -- Trivial -- single byte change creates a new hash. Most AV signatures are here.
IP Addresses
C2 server IPs -- Trivial -- new VPS provisioned in hours.
Domain Names
C2 domains -- Easy -- new domain registered in minutes. Where most TI feeds focus.
Network/Host Artefacts
Registry keys, mutexes, log patterns -- Moderate -- can be changed but requires code modification.
Tools
Malware, exploit frameworks used -- Hard -- requires developing or purchasing new tooling.
TTPs
Attacker behaviour and methodology -- Extremely hard -- requires retraining the entire team. This is where IOAs live.

Real IOA Examples with Detection Logic