A
behavioral IoC describes attacker actions rather than specific artifacts — "PowerShell making outbound connections" vs. specific IP address or hash. More durable than artifact-based IoCs.
IP addresses and hashes change in minutes. Behavioral patterns persist across campaigns. The Pyramid of Pain: TTPs at top (hardest for attacker to change), hash values at bottom (easiest to change). Focus detection on behavioral indicators for lasting coverage.