{"id":12887,"date":"2025-04-16T12:41:35","date_gmt":"2025-04-16T12:41:35","guid":{"rendered":"\/cybersecurity-blog\/?p=12887"},"modified":"2025-05-12T14:05:02","modified_gmt":"2025-05-12T14:05:02","slug":"iocs-iobs-ioas-explained","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/","title":{"rendered":"How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats"},"content":{"rendered":"\n<p>In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-pivoting\/\">indicators of compromise<\/a>, behavior, and attack (IOCs, IOBs, IOAs). Let\u2019s elaborate on their essence, difference, and use. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Distinction in a Nutshell&nbsp;<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-234\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"6\"\n           data-wpID=\"234\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        IOCs                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        IOBs\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        IOAs\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Definition\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Artifacts or observables that suggest a system has already been compromised\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Patterns or activities that indicate an attack is in progress or imminent\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Describes the adversary's TTPs (Tactics, Techniques, and Procedures), often abstracted from specific tools or campaigns\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Nature\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reactive\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Proactive\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Strategic\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Type\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Technical evidence left behind\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Behavioral analysis\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        High-level behavioral models\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Purpose\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Help identify intrusions and data breaches\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Detect and block attacks before they succeed\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Understand and profile attackers across campaigns or tools\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Used in threat detection tools like SIEM, IDS\/IPS, antivirus, and EDR.\u00a0Help correlate logs and trace how an attack occurred.\u00a0Often shared via threat intelligence feeds.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Applied in real-time detection by EDR\/XDR platforms.\u00a0Used in behavioral analytics and heuristics.\u00a0Focus on what the attacker is trying to do, not just the tools used.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Used in threat modeling, proactive defense, and red teaming.\u00a0Integrated into MITRE ATT&CK mapping, behavior-based threat hunting.\u00a0Help anticipate novel attack chains and identify APTs.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-234'>\ntable#wpdtSimpleTable-234{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-234 td, table.wpdtSimpleTable234 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise&nbsp;<\/h2>\n\n\n\n<p>IOCs are pieces of evidence that suggest that&nbsp;a system, network, or device has been compromised by a cyberattack or malicious activity. They are typically reactive, meaning they are identified after an attack has occurred.&nbsp;<\/p>\n\n\n\n<p>The main purpose of IOCs is to help detect and confirm security incidents with known threats or malware. They serve as forensic evidence in incident investigations and are necessary for adequate incident response and mitigation.&nbsp;<\/p>\n\n\n\n<p>More often than not IOCs are specific \u2014 tied to a particular malware or campaign. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOCs can be classified into: &nbsp;<\/h3>\n\n\n\n<div class=\"wp-block-cover\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#073433\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" class=\"wp-block-cover__image-background wp-image-12904\" alt=\"background\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png\" data-object-fit=\"cover\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png 1920w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-740x416.png 740w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-1 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li><strong>File-based<\/strong>: malicious file hashes (e.g., MD5, SHA-1, SHA-256), known malware signatures.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Network-based<\/strong>: suspicious IP addresses, domains, URLs, or unusual traffic patterns (e.g., connections to a known command-and-control server).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>System-based<\/strong>: registry key changes, unauthorized user accounts, or suspicious processes running.&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>Being reactive by their nature, IOCs are of immense help in threat prevention. When used smartly, they can be weaponized to block, disrupt, or preempt similar attacks in the future.&nbsp;<\/p>\n\n\n\n<p>This function is provided by threat intelligence: SOC teams collect indicators associated with known malware and incidents (malicious IPs, domains, file hashes, or URLs)&nbsp;and blacklist them in their security systems to prevent future communication or execution associated with those IOCs.&nbsp;<\/p>\n\n\n\n<p>For example, a phishing domain seen in a past attack is added to the block list, preventing any user from accessing it if reused. Potential IOCs can be checked with the help of services like <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s <a href=\"http:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>. &nbsp;It searches for information from malware samples added and analyzed in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktosandbox\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%2522147.185.221.26%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIP:&#8221;147.185.2<\/a><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIP:%255C%2522147.185.221.26%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">2<\/a><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%2522147.185.221.26%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">1.26&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"718\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-1024x718.png\" alt=\"\" class=\"wp-image-12908\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-1024x718.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-300x210.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-768x538.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-1536x1076.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-370x259.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-270x189.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9-740x519.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-9.png 2038w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The IP is flagged as malicious, linked to known malware, and should be blocked<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Another way of using IOCs for proactive protection is setting up decoys (honeypots or honeytokens) to monitor access to known indicators or infrastructure that mimics IOC traits.&nbsp;<\/p>\n\n\n\n<p>Finally, IOCs reveal which vulnerabilities are being exploited, so teams can prioritize patching or tighten firewall rules accordingly.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEnrich alerts and expand threat context with <span class=\"highlight\"> TI Lookup<\/span> <br>Get 50 trial requests to collect your first intel&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=iocs_iobs_ioas&#038;utm_term=160425&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nTry now for your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>IOCs have their limitations, though. They may not help to detect brand new or advanced threats. It\u2019s important to keep in mind that attackers can easily change IOCs (e.g., domains, hashes), so IOC-based prevention is only as effective as its freshness and context. Context also helps to reduce false positives in detection. &nbsp;<\/p>\n\n\n\n<p>Context can also be provided by TI Lookup: it supports over 40 search parameters and wildcards which allows to combine indicators and parameters in complex search queries: <\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolookup#%7B%2522query%2522:%2522(syncObjectName:%255C%2522PackageManager%255C%2522%2520or%2520syncObjectName:%255C%2522DocumentUpdater%255C%2522)%2520and%2520syncObjectOperation:%255C%2522Create%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">(syncObjectName:&#8221;PackageManager&#8221; or syncObjectName:&#8221;DocumentUpdater&#8221;) and syncObjectOperation:&#8221;Create&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"406\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-1024x406.png\" alt=\"\" class=\"wp-image-12910\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-1024x406.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-300x119.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-768x304.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-1536x609.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-370x147.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-270x107.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4-740x293.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-4.png 2044w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Combining several IOCs in one search request helps to enrich the indicators with context<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic.&nbsp;<\/p>\n\n\n\n<p>Switching to the Analyses tab in the search results, we see, that the combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.&nbsp;&nbsp;<\/p>\n\n\n\n<p>On the other hand, this combination of mutexes was last spotted in malware samples about four months ago which allows us to consider this signal obsolete. &nbsp;<\/p>\n\n\n\n<p>Security teams share IOCs via threat intelligence feeds: continuously updated data streams with indicators from fresh malware samples integrated with monitoring and detection systems. ANY.RUN <a href=\"https:\/\/intelligence.any.run\/feeds\" target=\"_blank\" rel=\"noreferrer noopener\">provides<\/a> Threat Intelligence Feeds in STIX and MISP formats.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nBoost threat detection with <span class=\"highlight\">ANY.RUN&#8217;s TI Feeds<\/span> <br>Get continuous stream of malicious IOCs from the latest attacks on 15,000+ companies&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=iocs_iobs_ioas&#038;utm_term=160425&#038;utm_content=linktotifeeds\" rel=\"noopener\" target=\"_blank\">\nTry demo sample\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Behavior&nbsp;<\/h2>\n\n\n\n<p>IOBs focus on patterns or behaviors that suggest malicious activity, rather than specific artifacts or static signatures. They describe how an attacker operates, often describing tactics, techniques, and procedures (TTPs). In other words, these indicators focus on what an attacker does rather than specific tools or files.&nbsp;<\/p>\n\n\n\n<p>This enables them to be used for detecting zero-day attacks, unknown or evolving threats that may not have specific IOCs which makes IOBs useful in proactive threat hunting and monitoring. Suspicious behavior can signal an attack in progress, before significant damage occurs. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOBs may refer to: &nbsp;<\/h3>\n\n\n\n<div class=\"wp-block-cover\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#073433\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" class=\"wp-block-cover__image-background wp-image-12904\" alt=\"background\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png\" data-object-fit=\"cover\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png 1920w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-740x416.png 740w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-2 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li><strong>User Behavior<\/strong>: Account log-in from an unusual location or at an odd time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>System Behavior<\/strong>: Process attempting to access sensitive files repeatedly or executes unauthorized scripts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Network Behavior<\/strong>: Encrypted traffic spikes to unknown external servers, resembling data exfiltration.&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>Thus, typical examples of IOBs are: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of living-off-the-land binaries (e.g., rundll32, certutil);&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Obfuscation techniques;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credential dumping after privilege escalation;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Repeated use of valid accounts for persistence.<\/li>\n<\/ul>\n\n\n\n<p>IOBs also come with a few shortcomings. It requires advanced analytics, such as behavioral analysis or machine learning, to identify anomalies. Sophisticated monitoring tools (e.g., SIEM, UEBA) should be employed to work with this family of indicators. They can be resource-intensive to analyze and validate. And they may produce false positives if legitimate behaviors mimic malicious ones.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN\u2019s Interactive Sandbox allows analysts to observe how malware or suspicious files behave in a controlled environment and detect anomalous behaviors that may indicate a potential threat. For example, in this analysis session we see remote code execution via mshta.exe triggered by a command entered manually by a user and mentioning a (misspelled) CAPTCHA:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-1024x575.png\" alt=\"\" class=\"wp-image-12912\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-1024x575.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-768x431.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-1536x862.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-2048x1149.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-4-740x415.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Abuse of legitimate Windows component observed in a malware analysis session<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>What does this activity indicate? <a href=\"https:\/\/intelligence.any.run\/reports\/04-25-threat-actors-activity-overview-01\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">In their latest campaign, Storm-1865<\/a> distributed phishing emails impersonating Booking.com. The emails contained links leading to fake CAPTCHA pages designed to build trust and lure users into interaction. The threat actor leveraged the ClickFix technique, instructing victims to paste a malicious command into the Windows command prompt.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Enrich your threat knowledge with TI Lookup\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Enrich your threat knowledge with TI Lookup<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nLearn about TI Lookup and its capabilities to see how it can contribute to <span class=\"highlight\">your company&#8217;s security<\/span>\n\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\"><div class=\"cta__split-link\">Explore more<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>The campaign has been observed delivering several commodity malware families, including XWorm, <a href=\"https:\/\/any.run\/malware-trends\/lumma\" target=\"_blank\" rel=\"noreferrer noopener\">Lumma Stealer,<\/a> VenomRAT, <a href=\"https:\/\/any.run\/malware-trends\/asyncrat\" target=\"_blank\" rel=\"noreferrer noopener\">AsyncRAT<\/a>, DanaBot, and NetSupport RAT. With the following TI Lookup query, we can search through recent public sandbox analyses and find samples with the same malicious activity for further research:\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522mshta*92.255.57.155\/Capcha*%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;mshta<em>92.255.57.155\/Capcha<\/em>&#8220;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"715\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-1024x715.png\" alt=\"\" class=\"wp-image-12914\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-1024x715.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-300x210.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-768x536.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-1536x1073.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-2048x1430.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-270x189.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image4-3-740x517.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware with a typical behavioral pattern found via TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Indicators of Attack&nbsp;<\/h2>\n\n\n\n<p>IOAs are proactive indicators that focus on the intent and actions of an adversary during an attack, emphasizing the &#8220;how&#8221; and &#8220;why&#8221; of malicious activity. They aim to detect attacks in real time, and to catch it in its early stages (e.g., during reconnaissance, exploitation, or lateral movement). This allows cybersecurity teams to prevent attacks by interrupting the kill chain.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Examples of IOAs: &nbsp;<\/h3>\n\n\n\n<div class=\"wp-block-cover wp-duotone-unset-1\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\" style=\"background-color:#073433\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" class=\"wp-block-cover__image-background wp-image-12904\" alt=\"background\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png\" data-object-fit=\"cover\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background.png 1920w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/background-740x416.png 740w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-3 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li><strong>Reconnaissance<\/strong>: Unusual port scanning or enumeration of network resources.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Exploitation<\/strong>: Attempts to exploit a known vulnerability (e.g., SQL injection or buffer overflow).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Persistence<\/strong>: Installation of backdoors or scheduled tasks to maintain access.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lateral Movement<\/strong>: Abnormal internal network traffic, such as attempts to access multiple systems with stolen credentials.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Communication: <\/strong>Process beaconing to rare external IP at intervals.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential Theft<\/strong>: LSASS memory access by a non-standard process.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data Exfiltration<\/strong>: Sensitive files zipped and sent via Dropbox or OneDrive.&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>What typical indicators of attack might look like: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Word document spawns PowerShell;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Process injection detected;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user logs in from two geographies within minutes;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious lateral movement.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Since IOAs are specific signs of an active or imminent attack, often tied to known TTPs or malicious artifacts, it is possible to research these indicators with the aid of ANY.RUN\u2019s Threat Intelligence Lookup through the <a href=\"https:\/\/intelligence.any.run\/\">Interactive MITRE ATT&amp;CK Matrix<\/a>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-1024x576.png\" alt=\"\" class=\"wp-image-12934\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/ttps_ioas.png 1919w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The Matrix lets you map TTPs to actual samples of malware and phishing threats and view their entire execution chain inside the Interactive Sandbox, as well as collect additional indicators.  <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;&nbsp;<\/h2>\n\n\n\n<p>The most valuable aspect of indicators in institutional cybersecurity is of course their potential to help prevent threats and incidents, stop attacks from succeeding, and thus avoiding financial loss, operational disruption, and reputation damage. Regularly collecting and using IOCs, IOAs, and IOBs, including with the services like ANY.RUN&#8217;s TI Lookup and TI Feeds, can help your SOC team fight off threats and keep your infrastructure safe.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=iocs_iobs_ioas&amp;utm_term=160425&amp;utm_content=linktotiplans\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN&#8217;s Threat Intelligence suite in your organization \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let\u2019s elaborate on their essence, difference, and use. &nbsp; Distinction in a Nutshell&nbsp; Indicators of Compromise&nbsp; IOCs are pieces of evidence that suggest that&nbsp;a system, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":12945,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,15,40],"class_list":["post-12887","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Guide to Indicators of Compromise, Attack, and Behavior<\/title>\n<meta name=\"description\" content=\"Learn how SOC teams use Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) for threat detection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats\",\"datePublished\":\"2025-04-16T12:41:35+00:00\",\"dateModified\":\"2025-05-12T14:05:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\"},\"wordCount\":1533,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\",\"name\":\"Guide to Indicators of Compromise, Attack, and Behavior\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-04-16T12:41:35+00:00\",\"dateModified\":\"2025-05-12T14:05:02+00:00\",\"description\":\"Learn how SOC teams use Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) for threat detection.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guide to Indicators of Compromise, Attack, and Behavior","description":"Learn how SOC teams use Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) for threat detection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats","datePublished":"2025-04-16T12:41:35+00:00","dateModified":"2025-05-12T14:05:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/"},"wordCount":1533,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/","url":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/","name":"Guide to Indicators of Compromise, Attack, and Behavior","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-04-16T12:41:35+00:00","dateModified":"2025-05-12T14:05:02+00:00","description":"Learn how SOC teams use Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) for threat detection.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12887"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12887"}],"version-history":[{"count":47,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12887\/revisions"}],"predecessor-version":[{"id":13371,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12887\/revisions\/13371"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12945"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}