IoC Quick Reference β All Nine Categories
| IoC Category | What You Observe | What It Indicates | Primary Defense/Detection |
|---|---|---|---|
| Account Lockout | User account locked β user didn't cause it | Brute force attempt; or social engineering setup (lock β call helpdesk β reset) | Strong identity verification for password resets; lockout threshold alerts |
| Impossible Travel | Same account logs in from two distant locations within minutes | Credential compromise β attacker using stolen credentials from remote location | SIEM / IdP impossible travel rule; automated session termination; MFA |
| Concurrent Sessions | Same account active simultaneously from locations that can't both be the user | Credential sharing or theft; session hijacking | Session inventory correlation against known device list; privileged account monitoring |
| Blocked Content | System cannot reach update servers or antivirus vendors | Attacker maintaining persistence by preventing patches and signature updates | Monitor update connectivity; alert on update failures; EDR health monitoring |
| Resource Consumption | Unexpected bandwidth spike, elevated CPU/disk at off-hours | Active data exfiltration; cryptomining; malware operating in background | Network flow monitoring; bandwidth threshold alerts; firewall log analysis |
| Resource Inaccessibility | Server crash, encrypted files, network disruption, mass account lockouts | Ransomware execution; exploit-caused crash; attack distraction technique | Availability monitoring; ransomware honeypot files; incident response playbooks |
| Out-of-Cycle Logging | Administrative activity (patches, account changes) at unexpected times | Attacker with admin privileges operating on their own schedule | SIEM temporal anomaly rules; baseline expected activity windows; change control alerts |
| Missing Logs | Gaps in log files where entries should exist | Attacker deleted logs to hide their actions; log volume alerts | Remote log forwarding to write-protected SIEM; volume drop alerts |
| Published Data | Organizational data appears online; external breach notification | Exfiltration completed; possible double extortion ransomware | Dark web monitoring; threat intelligence feeds; Have I Been Pwned |
Impossible Travel β Detection Logic
The impossible travel detection algorithm operates against the authentication log for each user account:
| Step | Operation | Example (Omaha β Melbourne) |
|---|---|---|
| 1. Geolocate IPs | Map each login's source IP to a physical location using geolocation database | Login A: 41.25Β°N, 95.93Β°W (Omaha, NE, USA) Β· Login B: 37.81Β°S, 144.96Β°E (Melbourne, AU) |
| 2. Calculate Distance | Compute great-circle distance between the two coordinates | β 14,100 km |
| 3. Calculate Time Delta | Subtract timestamp of Login A from timestamp of Login B | 3 minutes = 0.05 hours |
| 4. Compute Velocity | Distance Γ· Time = implied travel speed | 14,100 km Γ· 0.05 h = 282,000 km/h (β 83Γ speed of sound) |
| 5. Compare Threshold | If velocity > commercial aviation maximum (~900 km/h) β flag as impossible travel | 282,000 km/h β« 900 km/h β ALERT: Impossible Travel Detected |
Account Lockout as Multi-Stage Attack
1
Trigger lockout deliberately β Attacker sends N+1 failed login attempts against the target account. Account auto-locks. No damage yet β this is setup.
2
Call the help desk β Attacker calls support, claims to be the locked-out user. "My account is locked and I'm late for a meeting. Can you reset my password quickly?"
3
Social engineer the reset β Attacker provides the user's name, employee ID, and answers basic identity questions (all scraped from LinkedIn or earlier recon). Help desk resets the password.
4
Log in with the new credential β Attacker authenticates with the reset password. Full account access obtained without ever cracking a hash or breaking a technical control.
Defense: Require out-of-band identity verification for all password resets: manager approval, callback to a previously registered phone number, or in-person ID check. Never reset based solely on information the caller provides over the phone.
Log Chain β What Attackers Delete and Where the Remote Copy Survives
| Log Type | Where Stored Locally | What Attacker Deletes | Remote Survivability |
|---|---|---|---|
| Authentication Logs | Windows Event Log (Security); /var/log/auth.log (Linux) | Event log cleared via wevtutil or direct file deletion | Domain controller forwards to SIEM β local delete doesn't reach the remote copy |
| Firewall Logs | Firewall internal storage (often syslog) | Usually not accessible to the attacker (no shell access to firewall appliance) | Firewall syslog to SIEM; attacker on a workstation cannot reach the firewall's log |
| File Access Logs | Windows Audit Policy / SACL logs | Security event log cleared (same as auth logs) | SIEM ingestion of real-time event forwarding preserves audit trail |
| Web/DB Server Logs | Application-specific log files in /var/log or IIS logs | Direct file deletion or log rotation manipulation | Syslog forwarding or log shipper (Filebeat/Splunk UF) to remote SIEM |
IoC Detection by Tool Category
| Tool | Best For | Weak Against |
|---|---|---|
| SIEM | Cross-source correlation, out-of-cycle logging, volume anomalies, impossible travel, missing log alerts | Slow-and-low attacks that stay below all thresholds; encrypted C2 traffic |
| EDR | Blocked content (failed update connections), process anomalies, file hash changes, in-memory threats | Network-layer activity; lateral movement using legitimate admin tools |
| Identity Provider (IdP) | Impossible travel, concurrent sessions, account lockout patterns, MFA bypass attempts | Lateral movement after initial login; on-network attacks that don't re-authenticate |
| Network Flow (NetFlow) | Bandwidth spikes, exfiltration destinations, off-hours traffic, east-west lateral movement | Encrypted content inspection; application-layer detail without decryption |
| Dark Web Monitoring | Published data, credential dumps, stolen IP appearing for sale before public disclosure | Active intrusions in progress; everything that hasn't yet been exfiltrated |