What Are Indicators of Attack (IOAs)?

A process opens a Word document, then spawns PowerShell, which reaches out to the internet and pulls down a script that reads the memory of the system's credential store. Every one of those programs is signed and trusted. No known-bad file hash is on disk, no flagged IP is contacted, and a tool matching only against lists of known-bad artifacts sees nothing wrong. What is wrong is the sequence: a document does not normally launch a scripting engine that downloads code and dumps credentials. That sequence is an indicator of attack, and catching it is the whole point.

An indicator of attack (IOA) is evidence of the intent and behavior behind an attack, the actions an adversary must take to reach their goal, observed while the attack is happening. It answers a different question than a forensic artifact does. Instead of asking "what known-bad thing is present," an IOA asks "is someone executing the steps of an attack right now," regardless of the specific malware, exploit, or tool they are using to do it.

This guide covers what an IOA is, how it works, how it differs from an indicator of compromise, what IOAs detect, why behavior-based detection matters, and how IOAs fit a modern SOC. It is written for blue teamers who need to catch intrusions in progress, not just clean up after them.

What is an indicator of attack?

An indicator of attack is a signal that an adversary is carrying out the actions required to compromise a target, identified by the behavior and intent of those actions rather than by any fixed artifact they leave behind. The focus is on the "why" and the "how" of an attack: what is the actor trying to accomplish, and what steps must they execute to get there.

The defining idea is that intent is harder to change than tooling. An attacker can recompile malware to alter its hash, register a new domain, or swap one exploit for another, and every one of those changes defeats a detection tied to the old artifact. What the attacker cannot easily change is the underlying sequence of behaviors. To steal credentials they must access credential storage. To move deeper they must perform lateral movement. To keep a foothold they must establish persistence. Those actions are dictated by the objective, not by the tool, so a detection built on behavior holds up even when the malware is brand new.

This makes IOAs proactive. Because they describe an attack as it executes, they can flag an intrusion in its early stages, before data is stolen or systems are encrypted, rather than confirming after the fact that a breach already happened. CrowdStrike, which popularized the term, frames it directly: an IOA is a series of actions an adversary must conduct to succeed, like the steps a bank robber must take regardless of the specific tools they bring.

IOA vs. IOC

IOAs are best understood next to indicators of compromise, the other half of the pair. The two are complementary, but they answer different questions at different points in an attack.

An indicator of compromise (IOC) is a static artifact that shows a compromise has occurred or is occurring: a malicious file hash, a known command-and-control domain or IP address, a suspicious registry key, an unusual filename. IOCs are concrete and easy to share, which is why they are the currency of threat intelligence feeds. Their weakness is timing and durability. An IOC is usually evidence that something bad already happened, and because it is a fixed value, an attacker who changes the artifact, a new hash, a new domain, slips past a detection tuned to the old one.

An IOA is a dynamic signal about behavior and intent, evaluated while the attack runs. It does not care which specific file or address is involved; it cares whether the pattern of actions matches how an attack unfolds. That makes it resilient to the tool-swapping that defeats IOCs, and it makes it earlier: an IOA can fire during the attack rather than after it.

The takeaway is not that one replaces the other. IOCs are excellent for confirming and scoping known threats and for sharing intelligence; IOAs are what catch the new and the in-progress. A mature program uses both: IOAs to detect the attack as it happens, IOCs to enrich, confirm, and hunt for its footprint elsewhere.

How IOAs work

IOAs turn raw activity into behavior-based detections through a consistent process.

1. Collect activity. Sensors gather the raw signals of behavior across the environment: process creation and parent-child relationships on endpoints, command-line arguments, network connections, authentication events, and registry and file activity.
2. Map to adversary behavior. That activity is interpreted against models of how attacks unfold, frameworks like MITRE ATT&CK that catalog the tactics and techniques adversaries use, so a raw event becomes a named, explainable behavior.
3. Evaluate intent in context. A single action is rarely conclusive. The system weighs the sequence and context: a document spawning PowerShell is suspicious, that PowerShell downloading code and touching credential storage is an attack chain. Intent emerges from the combination, not any one step.
4. Detect in real time. When the pattern matches attack behavior, the IOA fires while the activity is still happening, ideally early in the chain, rather than waiting for a known-bad artifact to appear.
5. Respond. The detection gives analysts the full behavioral context, the sequence of actions, the processes involved, the user, and supports response: isolating the host, killing the process tree, and feeding the event into the wider workflow.

The reason this works is that it inverts the question. A signature asks "have I seen this exact thing before." An IOA asks "does this look like an attack," which lets it catch techniques that have never been seen as a specific artifact but that still must follow the same behavioral logic to succeed.

What IOAs detect

Because they watch behavior rather than artifacts, IOAs are strong against exactly the activity that no fixed signature anticipates.

• Fileless and living-off-the-land attacks. Attacks that abuse legitimate tools already on the system, PowerShell, WMI, certutil, leave no malicious file to hash. The IOA catches the abnormal use of the trusted tool.
• Credential theft. Reading the memory of a credential store or harvesting secrets is a behavior, regardless of which tool performs it. The access pattern is the signal.
• Lateral movement. An actor spreading from a foothold to other systems generates a recognizable behavioral pattern of remote execution and authentication that an IOA flags as movement, not as a benign login.
• Persistence. Establishing a foothold that survives reboots, through registry run keys, scheduled tasks, or services, is a behavior an IOA recognizes even when the specific mechanism is novel.
• Novel and zero-day attacks. Because there is no known artifact to match, signature and IOC approaches are blind to a genuinely new attack. An IOA can still catch it, because even a never-seen attack must execute the same kinds of actions to reach its goal.

The worked example from the opener shows the logic in one chain. A user opens a document. The document spawns PowerShell. PowerShell downloads a script. The script reads credential-store memory. No step uses a flagged file or address; each program is trusted. But the sequence, document to script engine to download to credential access, is a textbook attack pattern. The IOA fires on the pattern, not on any artifact, and it fires while the chain is still running.

Why IOAs matter

IOAs earn their place by covering a gap that artifact-based detection cannot close.

They survive tool changes. Attackers continuously recompile malware, rotate domains, and swap exploits specifically to defeat artifact-based detection. Behavior-based detection holds because the attacker's objective, and therefore the actions required to reach it, stays constant.

They catch the novel. A zero-day or a never-before-seen tool has no hash, no domain, no signature to match. It still has to behave like an attack, which is what the IOA sees.

They are early. An IOC usually confirms a breach after it happens. An IOA can fire during the early stages of an intrusion, giving defenders the chance to stop it before the objective, data theft, encryption, is reached.

They explain themselves. Because an IOA is tied to adversary behavior and frameworks like ATT&CK, a detection arrives as a named technique with context, not an opaque alert. That makes triage and response faster.

Together these make behavior-based detection the layer aimed at the attacker's playbook rather than their luggage. The artifacts change every campaign; the plays do not change nearly as fast.

IOAs in the SOC

In practice, they are most powerful as one part of a layered detection program, not a standalone product. They are generated and enforced largely by endpoint detection and response platforms and by cyber threat intelligence functions that translate observed adversary tradecraft into behavioral detections, and increasingly by AI and machine learning that model normal versus malicious sequences at a scale humans cannot.

Their value compounds when combined with IOCs and other telemetry. An IOA detects the attack in progress; IOCs then help scope it, the hashes, domains, and addresses involved become hunting material to find the same actor elsewhere. Feeding both into a correlation layer turns an isolated behavioral alert into a full picture of an incident: the behavior that fired the detection, the artifacts it produced, the hosts and users involved.

IOAs also fuel proactive defense. Threat hunters use known adversary behaviors as hypotheses, searching for the actions an actor would take even when no alert has fired, and detection engineers turn observed tradecraft into new behavioral rules. The flow runs both ways: hunting surfaces new behaviors, those behaviors become IOAs, and the IOAs catch the next actor who runs the same play.

Getting started with behavior-based detection

If you want to build the skill behind IOAs, learn to read activity and recognize adversary behavior in it, because that is what an IOA encodes.

1. Learn the attack lifecycle. Study how intrusions unfold, from initial access through persistence, privilege escalation, lateral movement, and exfiltration, so a sequence of events reads as a stage of an attack.
2. Map behavior to MITRE ATT&CK. Tie observed activity to named tactics and techniques. ATT&CK is the shared language for describing the behaviors IOAs are built on.
3. Practice on real telemetry. Hunt for attack patterns, anomalous process chains, credential access, lateral movement, in endpoint and log data, where IOAs are evaluated.
4. Turn findings into detections. Convert a behavior you found into a repeatable rule, so the next occurrence of that pattern fires automatically.

Frequently asked questions

What is an indicator of attack (IOA)?

An indicator of attack is evidence of the intent and behavior behind an attack, the sequence of actions an adversary must take to reach their goal, observed while the attack is happening. Rather than matching known-bad artifacts, an IOA detects whether someone is executing the steps of an attack, regardless of the specific malware or tools used. This makes it proactive: it can flag an intrusion in progress, often early in the attack chain, instead of confirming a breach after the fact.

What is the difference between an IOA and an IOC?

An IOA focuses on intent and behavior, the "how" and "why" of an attack, and is dynamic and evaluated in real time. An indicator of compromise (IOC) is a static artifact, a file hash, domain, IP address, or registry key, that shows a compromise has occurred. IOCs are easy to share and ideal for confirming known threats, but they are usually after the fact and are defeated when an attacker changes the artifact. IOAs are resilient to tool changes and catch attacks as they unfold. Mature programs use both together.

Are IOAs better than IOCs?

Neither is strictly better; they solve different problems. IOAs excel at catching novel and in-progress attacks because they watch behavior, which holds even when tooling changes. IOCs excel at confirming, scoping, and sharing known threats, and at hunting for an actor's footprint. The strongest detection programs combine them: IOAs to detect the attack happening, IOCs to enrich and confirm it.

Can IOAs detect fileless attacks?

Yes, and this is one of their core strengths. Fileless and living-off-the-land attacks abuse legitimate tools already on the system, such as PowerShell or WMI, so they leave no malicious file to hash and evade artifact-based detection. An IOA catches the abnormal behavior, a trusted tool being used in an attack sequence, rather than looking for a malicious file that is never written to disk.

How do IOAs relate to MITRE ATT&CK?

MITRE ATT&CK is a knowledge base of adversary tactics and techniques, and it gives IOAs a shared vocabulary for the behaviors they detect. An IOA maps observed activity to ATT&CK techniques so a raw event becomes a named, explainable behavior. This lets detection engineers build behavioral rules against documented tradecraft and lets analysts triage an IOA as a known technique rather than an opaque alert.

Who generates and uses IOAs?

IOAs are largely produced and enforced by endpoint detection and response platforms, by threat intelligence teams that turn observed adversary tradecraft into behavioral detections, and increasingly by AI and machine learning that model attack sequences at scale. SOC analysts, threat hunters, and detection engineers all use them: analysts to catch in-progress attacks, hunters to form hypotheses from known behaviors, and engineers to turn discovered behaviors into new detection rules.

The bottom line

An indicator of attack is the detection signal aimed at what an adversary is trying to do, not at the specific tools they leave behind. It watches the sequence of actions an attack requires, a document spawning a script engine, a process reading credential memory, a foothold spreading to new hosts, and fires while that sequence is still running. Its power is resilience and timing: behavior holds even when an attacker swaps malware, registers a new domain, or fields a zero-day, and it surfaces the attack early enough to stop it. IOAs do not replace indicators of compromise; they pair with them, IOAs to catch the attack as it happens, IOCs to confirm and scope it. The attacker can change every artifact in their kit, but they still have to run the play, and the IOA is what watches for the play.