█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Indicators of Compromise
40 minIntermediate

Indicators of Compromise

After this lesson, you will be able to: Use IoCs and understand STIX/TAXII sharing protocols.

IoCs (Indicators of Compromise) are atomic facts: 'this IP is malicious', 'this hash is malware'. STIX/TAXII is the standard format and protocol for sharing them across organizations.

Prerequisites:Threat Actors and Motivations

IoC types

Network. IPs, domains, URLs, JA3 fingerprints. Host, file hashes (MD5/SHA256), filenames, registry keys. Behavioral, process trees, command lines, parent/child relationships. Email, sender addresses, subject patterns.

💡 The Pyramid of Pain

Hashes (trivial to change) → IPs → Domains → Network artifacts → Host artifacts → Tools → TTPs (hardest to change). Detect higher up the pyramid for durable detections.

STIX 2.1 indicator example

JSON-format threat info structure:

json
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--abc123...",
"created": "2026-01-15T10:00:00Z",
"name": "Malicious IP from APT28 campaign",
"pattern": "[ipv4-addr:value = '1.2.3.4']",
"pattern_type": "stix",
"valid_from": "2026-01-15T00:00:00Z",
"labels": ["malicious-activity"]
}

TAXII servers

TAXII = the protocol to publish/subscribe STIX. Free TAXII feeds: AlienVault OTX, MISP communities. Commercial: most TI vendors (Anomali, Recorded Future).

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Threat Actors and Motivations
Back to Threat Intelligence
Open Source Intelligence (OSINT)→