IoCs are forensic artifacts indicating a system has been compromised — file hashes, IP addresses, domain names, registry keys, user agents, malware signatures.
IoCs are reactive (discovered after compromise). Shared via STIX/TAXII, threat intel feeds, ISACs. TTPs are more durable than IoCs — attackers can easily change IPs/hashes but not their fundamental techniques.