As cyber attacks become more intelligent and advanced, cyber attacks targeting heterogeneous systems such as Internet of Things (IoT) devices are increasing. There is a need for a technique to share detailed threat information about the incident attack. In the event of an infringement incident, a technique that can express digital forensic artifacts collected from heterogeneous IoT devices as indicators of compromise (IoC) and share them must be established. In particular, when malicious code is executed targeting various IoT devices, an efficient IoC generation method to express cyber threat information and share it among CTI systems must be presented. Therefore, in this study, the existing IoC creation method and expression method were analyzed. A classification system for generating IoC for malware and an efficient and standardized expression method were presented. Based on the proposed IoC expression and standardization method, it is expected that it will be able to actively respond to intelligent attacks when establishing an accident management framework