Which indicators are used to identify specific behavior related to malicious activities, such as document executing PowerShell script, and remote command execution?

Behavioral indicators identify specific actions and techniques used by malware or attackers, such as a document triggering PowerShell execution or remote command execution. These indicators focus on the behavior and sequence of operations, not just a single artifact, helping you spot how an intrusion unfolds and what techniques are being employed. Computed indicators are derived metrics created by processing and correlating data, which can flag risk but don’t directly describe a particular malicious action. Atomic indicators are standalone artifacts like file hashes or IP addresses, useful for identification but not for describing behavior. Network indicators cover network-related signals such as domains or IPs, which may hint at activity but don’t capture the internal operational behavior.