This chapter covers Malware Indicators of Compromise (IOCs)—specifically hashes, IP addresses, domains, and URLs—which are foundational elements in threat detection and incident response. For the CS0-003 exam, understanding how to collect, analyze, and apply these IOCs is critical for Security Operations domain (Objective 1.1). Approximately 15-20% of exam questions touch on IOC analysis, either directly or through scenarios involving threat intelligence, malware analysis, or forensic investigation. Mastering these concepts will help you identify malicious activity, correlate events across sources, and make informed decisions during incident response.
Jump to a section
Imagine a citywide police department that tracks criminals using a centralized evidence database. Each criminal leaves behind specific traces: fingerprints (hashes), license plates (IP addresses), home addresses (domains), and specific routes they drive (URLs). When a crime is reported, detectives extract these traces from the scene and query the database. A hash is like a fingerprint—a unique identifier for a specific piece of malware. If the same fingerprint appears at two different crime scenes, detectives know the same criminal was involved. An IP address is like a license plate—it identifies the vehicle (source) but can be rented or stolen, so it's not always reliable. A domain is like a home address—it points to a location (server) but can be changed or aliased. A URL is like a specific driving route with turn-by-turn directions—it includes the path to a specific resource on a server. The database stores known fingerprints, license plates, addresses, and routes from past crimes. When a new incident occurs, detectives compare the new evidence against the database. If they find a match, they can quickly identify the criminal, understand their modus operandi, and anticipate their next move. However, criminals change fingerprints (polymorphic malware), steal license plates (spoofed IPs), use mail forwarding (domain redirection), and take different routes (URL parameters). So detectives must constantly update the database and use fuzzy matching techniques. In cybersecurity, this database is a threat intelligence feed, and the matching process is automated by security tools like SIEMs and IDS/IPS.
Indicators of Compromise (IOCs) are forensic artifacts that provide evidence of a system breach or malware infection. In the context of malware, common IOCs include cryptographic hashes (MD5, SHA-1, SHA-256), IP addresses, domain names, and URLs. These indicators are used to detect and block malware at various stages: initial access, command and control (C2), data exfiltration, and lateral movement. The CS0-003 exam expects you to understand how each IOC type works, its strengths and weaknesses, and how to use them in a layered defense strategy.
Cryptographic Hashes (MD5, SHA-1, SHA-256)
A hash is a fixed-length string generated by a one-way mathematical function from a file's binary data. Even a single bit change produces a completely different hash (avalanche effect). Hashes are used to uniquely identify malware samples. Common hash algorithms:
MD5: 128-bit (32 hex characters). Fast but collision-prone (two files can produce the same MD5). Not recommended for integrity verification but still used in some threat feeds.
SHA-1: 160-bit (40 hex characters). Also deprecated due to collision attacks (SHAttered).
SHA-256: 256-bit (64 hex characters). Currently the standard for malware identification due to collision resistance.
How it works: When a file is scanned, its hash is computed and compared against a database of known malicious hashes (e.g., VirusTotal, AlienVault OTX). If a match is found, the file is flagged as malware. However, attackers can modify malware slightly (e.g., adding a NOP sled) to change the hash while preserving functionality—this is called hash evasion. Therefore, hashes are best used as a first-line filter, not a definitive detection method.
IP Addresses
IP addresses (IPv4 and IPv6) identify network endpoints. Malicious IPs are associated with C2 servers, malware download sites, or scanning hosts. IOCs can be:
Source IP: The IP from which an attack originates (e.g., a botnet node).
Destination IP: The IP of a malicious server.
Indicator of compromise: An IP observed in logs connecting to known malware domains or performing brute-force attacks.
Limitations: IPs are easily changed. Attackers use fast-flux DNS, proxy networks, or cloud hosting to rotate IPs frequently. A single IP may host both legitimate and malicious content (shared hosting). Geolocation data can be misleading due to VPNs or Tor. Therefore, IP-based blocking should be used temporarily and combined with other IOCs.
Domain Names
Domains are human-readable names mapped to IPs via DNS. Malicious domains are used for C2, phishing, or malware distribution. Example IOC: "evil.com" or "malware.download.com". Domains can be:
Registered domains: Purchased by attackers, often using fake WHOIS info.
Subdomains: Used to evade detection (e.g., "update.evil.com").
Algorithmically Generated Domains (AGDs): Generated by malware using DGA (Domain Generation Algorithm) to communicate with C2. DGA creates thousands of pseudo-random domains per day, making takedown difficult.
Detection: Security tools query threat intelligence feeds for domain reputation. DNS sinkholing redirects known malicious domains to a controlled IP for analysis. The CS0-003 exam emphasizes understanding DGA and sinkholing.
URLs
Uniform Resource Locators (URLs) specify the full path to a resource on a web server. Malicious URLs point to exploit kits, phishing pages, or malware binaries. Example: "http://evil.com/exploit.php?user=123". URLs include:
Protocol: http, https, ftp.
Hostname: Domain or IP.
Port: Optional, default 80 for HTTP.
Path: Specific resource.
Query string: Parameters used for tracking or exploitation.
Attackers obfuscate URLs using IP addresses instead of domains, URL encoding, redirectors, or shorteners (e.g., bit.ly). Detection involves URL reputation analysis, pattern matching (e.g., suspicious TLDs like .xyz, .top), and sandboxing.
How They Interact
In a typical attack chain: 1. Phishing email contains a URL (IOC) pointing to a malicious domain. 2. User clicks, browser resolves domain to an IP (IOC) hosting a landing page. 3. The page downloads a malicious file (hash IOC) or redirects to another domain. 4. The malware, once executed, communicates back to a C2 server via domain or IP.
Security analysts correlate these IOCs across logs (firewall, proxy, DNS, endpoint) to reconstruct the attack. Tools like SIEMs (Splunk, ELK) ingest IOC feeds and generate alerts.
Collection and Analysis
IOCs are collected from various sources:
Automated feeds: Commercial (ThreatConnect, Anomali) or open-source (AlienVault OTX, MISP).
Manual analysis: Reverse engineering malware to extract hardcoded domains/IPs.
Sandboxing: Running malware in isolated environment to observe network behavior.
Analysis involves:
Pivoting: Using one IOC to find related IOCs (e.g., searching for all domains hosted on a known malicious IP).
Enrichment: Querying WHOIS, DNS records, geolocation, and passive DNS to gain context.
Triage: Prioritizing IOCs based on freshness, confidence, and severity.
Verification Commands
- Hash verification:
sha256sum suspicious_file.exe
md5sum suspicious_file.exe- DNS lookup:
nslookup evil.com
dig evil.com ANY- IP geolocation:
whois 192.0.2.1- URL analysis:
curl -v http://evil.com/malware.exe- Threat feed query:
curl -X GET "https://www.virustotal.com/api/v3/files/{hash}" -H "x-apikey: YOUR_API_KEY"Limitations and Evasion
Attackers constantly evade IOC-based detection:
Hash: Change file slightly (e.g., recompile with different compiler flags).
IP: Use fast-flux DNS, bulletproof hosting, or Tor.
Domain: DGA, domain fronting, or using compromised legitimate domains.
URL: URL encoding, redirection, or CAPTCHA to block automated scanners.
To counter this, security teams use behavioral analysis, machine learning, and threat intelligence sharing.
Exam Relevance
CS0-003 Objective 1.1: "Given a scenario, analyze indicators of compromise and formulate an appropriate response." You must be able to:
Identify IOC types from log data.
Determine which IOCs are most reliable (hashes > domains > IPs).
Recommend next steps (block, contain, investigate).
Understand tools like YARA (pattern matching), SIEM correlation rules, and sandboxing.
Common exam scenarios: phishing email with malicious URL, malware hash found in VirusTotal, C2 IP in firewall logs, domain sinkholing.
Extract IOCs from Artifact
When investigating a suspicious file or network traffic, the first step is to extract IOCs. For a file, compute its hash using SHA-256. For network traffic, extract IP addresses, domains, and URLs from packet captures or logs. Use tools like Wireshark, tcpdump, or automated sandboxes. The analyst should record the IOC type, value, timestamp, and source. This step is critical because it establishes the baseline for further analysis. In a SIEM, this might involve running a query to pull all connections to a suspicious IP within a time window. The accuracy of extraction directly impacts the effectiveness of subsequent steps.
Enrich IOCs with Threat Intelligence
Once IOCs are extracted, enrich them by querying threat intelligence feeds. For hashes, check VirusTotal or Hybrid Analysis for detection ratios and behavior reports. For IPs, perform WHOIS lookups, check geolocation, and see if the IP is listed on blocklists (Spamhaus, AlienVault). For domains, query passive DNS to see historical IP mappings and check registration details. For URLs, use URL scanners like VirusTotal or URLScan.io. Enrichment adds context: Is the IP known for C2? Is the domain recently registered? The CS0-003 exam expects you to understand that enrichment helps prioritize IOCs—a fresh domain with no reputation is more suspicious than a known legitimate domain.
Correlate IOCs Across Data Sources
With enriched IOCs, correlate them across network logs, endpoint logs, and other sources. For example, check if the malicious hash appears on any endpoint via file integrity monitoring (FIM) logs. See if the IP communicated with multiple internal hosts (lateral movement). Use a SIEM to create a timeline of events. Correlation helps identify the scope of infection. The analyst might discover that the same IP was contacted by three different workstations, indicating a worm-like spread. This step is crucial for incident response because it reveals the attack's reach. In the exam, you may be asked to determine which additional hosts are compromised based on shared IOCs.
Determine Severity and Impact
Based on correlation, assess the severity. Consider: How many systems are affected? Are critical assets involved? Is data exfiltration occurring? What is the type of malware (ransomware, spyware, RAT)? Use frameworks like the CVSS (Common Vulnerability Scoring System) or the Diamond Model of Intrusion Analysis. For example, a single workstation with a low-confidence hash might be low severity, while a domain controller communicating with a known C2 IP is critical. The CS0-003 exam tests your ability to prioritize: Which IOC should be addressed first? Typically, the one with the highest impact and confidence.
Implement Response Actions
Based on severity, take action. For high-confidence, high-impact IOCs, block immediately: add the IP to firewall blacklist, sinkhole the domain, or quarantine the file hash via endpoint protection. For lower-confidence IOCs, monitor and investigate further. Document all actions in the incident report. Response may also include notifying affected users, collecting forensic images, and escalating to law enforcement if required. The exam expects you to know the order of operations: contain, eradicate, recover. For example, if a malicious hash is found on a server, isolate the server first, then remove the malware, then restore from backup if needed.
Update Threat Intelligence Feeds
After the incident, update internal threat intelligence feeds with the confirmed IOCs. This ensures future detection. Submit the hash to VirusTotal, add the IP to the blocklist, and share with ISACs (Information Sharing and Analysis Centers) if appropriate. Also, tune SIEM rules to detect similar IOCs. This step closes the loop and improves the organization's security posture. The exam may ask about the importance of sharing IOCs to strengthen collective defense. Remember that timeliness matters: stale IOCs (older than 30 days) may be less reliable.
Enterprise Scenario 1: Phishing Campaign Detection at a Financial Institution A bank receives reports of suspicious emails with links to a domain "secure-update-bank.com". The security team extracts the domain as an IOC. They query threat intelligence and find the domain was registered 2 days ago with privacy protection. They also check the IP (203.0.113.5) which is in a cloud provider range. Using a SIEM, they search for any internal hosts that resolved this domain via DNS logs. They find three workstations attempted to access it. The hash of the downloaded file (SHA-256: 3a7b... ) is checked on VirusTotal and flagged as a banking trojan. The team blocks the IP at the firewall, sinks the domain via DNS, and isolates the three workstations. They also update their endpoint protection with the hash. Performance consideration: The SIEM query must cover all DNS logs, which can be high volume; they use indexing on domain field. Misconfiguration: If the firewall rule is applied too broadly, it might block legitimate cloud services sharing the same IP range.
Scenario 2: C2 Communication at a Healthcare Provider A healthcare provider's IDS alerts on outbound traffic to a known malicious IP (198.51.100.23). The analyst extracts the IP and enriches it: it's listed on multiple blocklists. They correlate with proxy logs and find that a single server (HR-server-01) initiated the connection. The server's file system is scanned, and a suspicious DLL is found with hash (SHA-256: b8f2...). The DLL is analyzed in a sandbox and shows behavior of keylogging and data exfiltration. The team isolates the server, removes the DLL, and changes all passwords. They also block the IP at the perimeter firewall. Common issue: The IP might be a legitimate service if the blocklist is stale; they verify the IP's current reputation before blocking.
Scenario 3: Ransomware Outbreak at a University A university experiences rapid file encryption. Analysts collect a sample of the ransomware and compute its hash. They find the hash in a threat feed as "Locky variant". They also extract the C2 domain from the sample ("ransom-c2.tk"). They query passive DNS and find the domain resolved to multiple IPs over the last week (fast-flux). They block the domain via DNS sinkhole, but because the IPs change, they also implement a rule to block any traffic to the TLD ".tk" (Tokelau) as a temporary measure. They use network segmentation to contain the spread. The hash is added to endpoint detection rules. Misconfiguration: Overly aggressive TLD blocking could affect legitimate .tk sites; they monitor for false positives. Scale: The university has 10,000 endpoints; the SIEM must handle high EPS (events per second) during the outbreak.
The CS0-003 exam (Objective 1.1) focuses on your ability to analyze IOCs in a scenario and determine the appropriate response. Here's exactly what you need to know:
IOC Types and Reliability: The exam tests which IOC is most reliable. Remember: Hashes are most reliable for identifying a specific file, but can be evaded. Domains are moderately reliable but can be changed. IPs are least reliable due to easy rotation. In a question, if you see a hash match, that's strong evidence. If only an IP, consider it weak.
Common Wrong Answers:
Choosing "block the IP" as the only response when a domain is also involved—attackers can change IPs, so blocking the domain via DNS sinkhole is more effective.
Assuming a hash match means the file is definitely malicious—some hashes may be false positives (e.g., a legitimate file that happens to match a hash in a feed). Always consider context.
Confusing MD5 and SHA-256: MD5 is 32 hex characters, SHA-256 is 64. The exam may ask which algorithm is collision-resistant; answer SHA-256.
Specific Values and Terms:
SHA-256 hash length: 64 hex characters.
MD5 hash length: 32 hex characters.
DGA (Domain Generation Algorithm): Used by malware to generate many domains. Sinkholing is a technique to redirect those domains to a controlled IP.
Fast-flux DNS: Rapidly changing IP addresses for a domain.
Passive DNS: Historical record of DNS resolutions.
Edge Cases and Exceptions:
What if an IP is shared hosting? Blocking it may affect legitimate sites. In that case, block only the specific URL path.
What if the hash is unknown? Use sandboxing to analyze behavior.
What if the domain is a legitimate service like pastebin? Check the full URL for malicious content.
Eliminate Wrong Answers: Use the underlying mechanism. For example, if a question asks how to prevent a malware download from a URL, blocking the IP may not work if the domain uses a CDN with many IPs. Instead, block the domain or use URL filtering. Think about what the attacker can easily change: IPs are easy, domains require registration, hashes require recompilation.
SHA-256 is the standard hash algorithm for malware identification; it produces a 64-character hex string.
MD5 is deprecated due to collision vulnerabilities; avoid using it for security decisions.
IP addresses are the least reliable IOC because they are easily changed; use in conjunction with other IOCs.
Domain sinkholing is an effective technique to disrupt C2 communication by redirecting DNS queries to a controlled server.
DGA (Domain Generation Algorithm) is used by malware to generate many domains; sinkholing can help but requires dynamic updates.
URL IOCs include the full path and query; blocking at the domain level may be too broad if only a specific URL is malicious.
Threat intelligence feeds must be kept current; stale IOCs (older than 30 days) may no longer be accurate.
Pivoting from one IOC to find related IOCs (e.g., all domains on a known malicious IP) is a key analysis technique.
In incident response, containment actions (blocking IOCs) should be prioritized based on severity and confidence.
Always consider false positives: a hash match may be a legitimate file, and an IP may be shared hosting.
These come up on the exam all the time. Here's how to tell them apart.
Hash IOC
Unique fingerprint for a file; collision-resistant with SHA-256
Cannot be changed without altering the file; evasion requires recompilation
Best for identifying known malware samples
Used in file scanning and integrity checks
Most reliable IOC type
IP IOC
Identifies a network endpoint; can be spoofed or rotated
Easily changed by attackers; fast-flux and proxies common
Useful for blocking C2 traffic temporarily
Requires enrichment with geolocation and reputation
Least reliable IOC type
Mistake
MD5 hashes are still secure for malware identification.
Correct
MD5 is cryptographically broken and collision attacks are practical. SHA-256 should be used for reliable malware identification. The CS0-003 exam expects you to know that SHA-256 is the current standard.
Mistake
Blocking a malicious IP is an effective long-term defense.
Correct
Attackers can change IPs easily using fast-flux or cloud hosting. IP blocking is a temporary measure. For long-term defense, block domains via DNS sinkhole or use behavioral detection.
Mistake
A domain that is not on any blocklist is safe.
Correct
Newly registered domains may not yet be in threat feeds. Attackers use domains that are only a few hours old. Always consider domain age and registration details as part of analysis.
Mistake
All IOCs are equally reliable.
Correct
Hashes are most reliable for file identification, but can be evaded. Domains are moderately reliable. IPs are least reliable due to dynamic assignment and shared hosting. The exam tests this hierarchy.
Mistake
URLs and domains are the same thing.
Correct
A domain is part of a URL. A URL includes the protocol, domain, path, and query. For example, 'http://evil.com/exploit.php' is a URL; 'evil.com' is the domain. Blocking the domain may be too broad if only a specific path is malicious.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MD5 produces a 128-bit (32 hex character) hash, SHA-1 produces 160-bit (40 hex), and SHA-256 produces 256-bit (64 hex). MD5 and SHA-1 are both vulnerable to collision attacks, meaning two different files can produce the same hash. SHA-256 is currently collision-resistant and is the standard for malware identification. For the CS0-003 exam, assume SHA-256 is used unless stated otherwise. Example: VirusTotal uses SHA-256 as the primary identifier.
Check the IP against threat intelligence feeds like VirusTotal, AlienVault OTX, or Spamhaus. Look at the IP's reputation score, geolocation, and whether it appears in known blocklists. Also consider the context: Is the IP associated with a domain that is known malicious? Does the IP communicate with multiple internal hosts? A single connection to an unknown IP may not be malicious; correlation with other IOCs is essential. The exam expects you to use enrichment to make a determination.
Domain sinkholing is a technique where a security team redirects DNS queries for a known malicious domain to a controlled IP address (the sinkhole). This prevents the malware from reaching the actual C2 server and allows the team to analyze the traffic. It works by modifying DNS records on the organization's DNS server or using a threat intelligence platform to override resolutions. The CS0-003 exam may present a scenario where sinkholing is used to disrupt a botnet.
DGA stands for Domain Generation Algorithm. Malware uses DGA to generate thousands of pseudo-random domain names daily. The malware tries to contact each domain until it finds one that is registered by the attacker. This makes it difficult to block all domains because they change frequently. Defense includes sinkholing known DGA domains, using machine learning to detect DGA patterns, and analyzing the algorithm to predict future domains. The exam may ask about the impact of DGA on IOC-based detection.
Pivoting involves using one IOC to discover others. For example, if you have a malicious IP, query passive DNS to find all domains that resolved to that IP. Or, if you have a hash, search for that hash in threat feeds to find associated IPs or domains used by the same malware family. Tools like MISP, ThreatConnect, and SIEMs support pivoting. The CS0-003 exam tests your ability to pivot to expand the investigation.
A domain is part of a URL. A URL is a complete address that includes the protocol (http, https), domain (or IP), optional port, path, and query string. For example, 'https://evil.com/exploit.php?payload=1' is a URL; 'evil.com' is the domain. Blocking the domain would block all URLs under that domain, which may be too broad if only a specific path is malicious. The exam may test your ability to choose between blocking the domain vs. the URL.
Threat intelligence feeds should be updated as frequently as possible, ideally in real-time or near-real-time. Stale IOCs (older than 30 days) may no longer be accurate because attackers change infrastructure. Many commercial feeds update every few minutes. For the exam, remember that timeliness is critical for effective detection. A question might ask why an IOC was not detected—possibly because the feed was outdated.
You've just covered Malware IOCs: Hashes, IPs, Domains, URLs — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?