EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Analyst Practice

IOC Extraction and Pivoting

After the static and dynamic analysis is done, the analyst extracts Indicators of Compromise and pivots — using one IOC to find related samples, infrastructure, and campaign linkages. The workflow, the tools, and the confidence model that makes an IOC report defensible.

Ashish Revar13 May 202610 min read8 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

VirusTotal

Primary pivot platform. Hash lookup, domain/IP history, relations graph, and community comments.

tool
MalwareBazaar

Sample repository with tag-based search. Free API for hash and tag lookups.

tool
David Bianco: The Pyramid of Pain

The original 2013 post introducing the Pyramid of Pain IOC quality framework. Still the best introduction.

reference
More articlesTest your knowledge

What an Indicator of Compromise Is

An Indicator of Compromise (IOC) is an observable artifact that, when present in an environment, indicates with some level of confidence that a malicious activity has occurred or is occurring. The operative phrase is "some level of confidence" — not all IOCs are equal, and conflating high-confidence indicators with speculative ones is one of the most common failures in analyst reporting.

David Bianco's Pyramid of Pain (2013) remains the most useful framework for thinking about IOC quality:

IOC TypeAttacker cost to changeAnalyst detection value
File hashesTrivial (recompile)Low
IP addressesLowLow-Medium
Domain namesLow-MediumMedium
Network artifactsMediumMedium
Host artifactsHighHigh
TTPs (tools, techniques)Very highVery high

File hashes are the easiest IOCs to extract and the easiest for attackers to invalidate. A single bit change produces a different hash. TTP-level indicators — the specific way an attacker uses process injection, the registry keys they habitually modify, the naming patterns in their C2 domains — survive across campaigns, across tool updates, and across infrastructure changes.

This does not mean hash-based IOCs are useless. In the first hours of an incident, hashes are the fastest way to determine whether other machines in an environment have the same file. But the analyst must communicate the confidence level accurately.

Three IOC Categories

Atomic IOCs are indivisible values that cannot be broken down further: file hashes (MD5, SHA-1, SHA-256), IP addresses, domain names, email addresses, URLs. They are easy to extract, easy to share, easy to implement in blocklists, and easy to change.

Computed IOCs are derived from analysis: fuzzy hashes (ssdeep, TLSH), YARA rules, import hashes (imphash), section hashes, packer signatures. These survive cosmetic changes to a binary because they capture structural or behavioural properties rather than exact content.

Behavioural IOCs describe what the malware does: mutex names it creates, registry keys it writes, file paths it accesses, network protocols it uses, API call sequences it follows. These are the hardest to extract because they require dynamic analysis, but they are the most durable.

The Extraction Workflow

Static analysis extracts:

  • SHA-256 hash (primary identifier for the sample)
  • Imphash and section hashes (from PEStudio or pefile)
  • Embedded strings: C2 domains, IP addresses, file paths, registry keys, mutex names, URL patterns
  • YARA-matchable byte sequences from distinctive code regions
  • PDB path (if not stripped — often reveals attacker development environment details)
  • Rich header hash (useful for compiler fingerprinting across samples)

Dynamic analysis extracts:

  • Actual C2 IP and domain (resolved at runtime, may differ from embedded strings if DGA is in use)
  • HTTP/HTTPS request patterns: User-Agent, URI structure, POST body format
  • DNS queries
  • Process creation and injection targets
  • Registry modifications
  • File system artifacts: dropped files, their paths and hashes
  • Mutex names (strong indicator — many malware families use distinctive mutexes)
  • Named pipes and other IPC objects

Pivoting

Pivoting is the process of using one IOC to find related artifacts. The goal is to expand from a single sample to an understanding of a campaign's infrastructure, tooling, and potential victim scope.

Hash pivot on VirusTotal: Search the SHA-256 on VirusTotal. On the "Relations" tab, examine:

  • Contacted IPs and Domains: C2 infrastructure
  • Dropped Files: second-stage payloads
  • Bundled Files: components that arrived with this sample
  • Similar Files: samples with similar behaviour or structure

Domain pivot: If you have a C2 domain, look up its passive DNS history on VirusTotal or RiskIQ/SecurityTrails. Find:

  • Other IPs the domain has resolved to (infrastructure reuse across campaigns)
  • Other domains that have resolved to the same IP (shared hosting = shared attribution)
  • Historical WHOIS data (registrar, registration date, email address patterns)

Infrastructure pivot: For a C2 IP, check Shodan and Censys for:

  • The server's SSL/TLS certificate (certificate pivoting is powerful — attacker-generated certs often have the same organizational details, or are self-signed with the same subject)
  • Unusual open ports or banner strings distinctive to specific C2 frameworks
  • Historical hosting changes

Imphash and YARA pivot on VirusTotal Intelligence (requires premium): Search imphash:[value] to find all samples with the same import hash. Samples from the same builder share the same import table structure. This surfaces the full sample set for a campaign even when file content has been randomised.

Documenting Confidence

Every IOC in an analyst report must carry a confidence level. A workable three-tier model:

  • Confirmed: Directly observed in dynamic analysis or confirmed by multiple independent analysis runs. Suitable for immediate blocking.
  • Probable: Extracted from static analysis or single-run dynamic analysis. Implement with monitoring.
  • Possible: Inferred from pivoting or infrastructure overlap. Flag for investigation, do not block without additional confirmation.

A report that lists 200 IOCs without confidence levels is less useful to a defender than one that lists 20 with clear confidence classifications.