Indicators of Attack (IOAs): A Practical Guide

What are Indicators of Attack (IOAs)?

Indicators of Attack are clues that reveal an attacker’s intent and actions as they unfold. They focus on behavior and tactics for unauthorized access attempts, not on a specific virus or tool.

Usually, IOAs help teams identify an intrusion as it begins, allowing them to respond in real-time. By contrast, IOCs confirm what has already happened, such as a known file hash or a malicious domain found after the fact.

IOA vs. IOC – What’s the Difference?

The main difference between Indicator of Attack and Indicator of Compromise is that IOAs flag what a known threat actor is doing right now by tracking behaviors and tactics, so teams can interrupt the intrusion in real time.

IOCs confirm what already happened by pointing to artifacts like hashes, malicious activity, domains, or files, which help verify, scope, and clean up an incident after before significant damage happens.

Let’s take a look at the differences in detail:

Five Examples of Indicators of Attack Vectors

Here are five clear IOAs, how they show up, and practical ways to prevent or stop them:

1. Office app spawning PowerShell with encoded commands

You open a Word or Excel file. A hidden or quick “PowerShell” window, as an attack technique, runs right after. The file likely had a malicious macro. It is trying to pull in more code or change system settings.

Stop and prevent:

• Do not enable macros from unknown senders.
• Block macros from the internet.
• Set an alert for “Office app starts PowerShell or cmd.”
• If it happens, disconnect the device from the network and scan it.

2. Sudden privilege escalation or a new admin user outside change windows

An account gets admin rights late at night. Or a new admin account appears with no ticket or change request. These attacker behaviors have probably stolen a password and are attempting to gain full control.

Stop and prevent:

• Use MFA for all admin actions.
• Approve admin access only when needed and only for a short time.
• Get alerts for role changes outside maintenance windows.
• If you see this, remove the admin rights, reset the password, and review recent logins.

3. Lateral movement via unexpected RDP or SMB

A single workstation starts using RDP or file sharing to connect to several machines in a row. This means that the attacker is moving through your security strategy to find valuable systems.

Stop and prevent:

• Allow remote tools only for IT staff.
• Segment the network so that most machines cannot talk to each other directly.
• Watch for many failed logins or logins from unusual sources.
• If spotted, block the source device and check nearby systems for the same behavior.

4. Credential dumping attempts against LSASS

A strange tool accesses LSASS. LSASS is the part of Windows that holds logins in memory. Hence, this means that someone is trying to steal passwords and tokens for reuse.

Stop and prevent:

• Turn on features like Credential Guard or LSASS protection.
• Keep endpoint protection active and updated.
• Do not reuse local admin passwords across devices.
• If triggered, kill the process, rotate affected passwords, and check for new logins that used them.

5. Mass file access and rapid compression before an outbound transfer

One process reads many files very fast. A large .zip or .7z file names appears. A new outbound connection opens to an unknown site or cloud drive. This means that your security information is being staged for theft, data transfers, insider threats, advanced persistent threats, or ransomware extortion.

Stop and prevent:

Alert on mass file reads and the sudden use of archiving tools.

• Limit uploads to approved storage only
• Use DLP or simple block lists for unknown file-sharing apps
• If seen, isolate the host and review what sensitive information was packed

Can Group-IB Help?

Yes.

• Monitoring and hunting. Group-IB can watch for these behaviors across endpoints, accounts, networks, and cloud.
• Threat intelligence. Fresh attacker playbooks and indicators that pair well with your detection rules.
• Incident response. Rapid help to contain the cyberattack, investigate what happened, and restore safely.
• Fraud and digital risk. Protection against account takeover, payment fraud, and brand abuse that often sit behind these attacks.

If you share your tools and environment, we can map these five IOAs to specific alerts and security controls you can use right away.

Group-IB Activates Your Proactive Defenses

Start with behavior, not artifacts. Indicators of Attack let teams spot what an adversary is doing in the moment, which opens the door to action before impact.

Building on that idea, Group-IB’s next-generation security stack applies both general and custom IOAs to detect potential threat attack patterns and anticipate adversarial moves, no matter which tools the attacker uses.

To turn this into day-to-day practice, Group-IB’s Attack Surface Management uses preconfigured and custom IOAs to mitigate security incidents. Custom IOAs create alerts for suspicious activity that reflect your environment and risk profile.

In parallel, Attack Surface Management inventories confirm assets, find common vulnerabilities, and assign each a risk score so remediation of your security posture can be prioritized. Security professionals can also set custom IOAs and issue priorities to keep effort focused where it matters most.

Coverage then extends from assets to attacker tradecraft. IOAs map cleanly to tactics, techniques, and procedures in the MITRE ATT&CK® framework, which helps detect activity across the kill chain. Group-IB’s Managed Extended Detection and Response (MXDR) and other security solutions combines these IOAs with Endpoint Detection and Response (EDR) to provide visibility and control across the full data breach lifecycle.

Interested? Get on a call with us to discuss your defense strategy!