Good IOCs are specific, actionable, and reliable. They provide clear evidence of malicious activity and can be used to detect threats effectively. Examples include:
- File Hashes: Unique cryptographic hashes (MD5, SHA-256) of known malicious files
- IP Addresses: Specific IPs associated with command and control servers
- Domain Names: Malicious domains used for phishing or malware distribution
- Registry Keys: Specific registry keys modified or created by malware
- File Names and Paths: Specific file names and paths used by malware
- Behavioral Patterns: Specific patterns like unusual login times or large data transfers outside business hours