Skip to main content

Indicator of Compromise (IOC) Detection Utility

Project description

iocide

Defanged/Obfuscated Indicator of Compromise (IOC) Detection

iocide uses programatically-generated regular expressions to capture IOC values that may have been defanged and/or obfuscated using a range of techniques.

Expressions for each IOC type have been tailored to the relevant specification standard, allowing identification of values obfuscated with combinations of defanging, alternate unicode characters, and unusual edge-case formatting.

Author

David Finn: dsfinn@gmail.com

Features

Detected IOC Types

iocide can detect multiple IOC types, including:

  • remote URLs
  • remote IPs
  • remote hostnames
  • email addresses
  • hashes

Encoded Binary

iocide can detect (and optionally refang) binary blobs encoded according to RFC 3548, including:

  • base16
  • base32
  • base64

Binary-Embedded Text

iocide can automatically inspect detected binary blobs for text encodings. Detected text can be searched for IOCs to arbitrary recursion depth. By default, only embedded text binaries found in the top level text will be further inspected.

Installation

pip install iocide

Command Line Quickstart

See iocide -h for parameters and subcommands.

iocide reads text from stdin and writes detected IOC values to stdout. If invoked without arguments, it will search for all known IOC types including binary blobs and binary-embedded text.

The --refang flag (shortcut -r) will cause iocide to normalise detected values to their 'fanged' representations if the IOC type supports refanging.

By default, iocide will normalise input text by replacing non-ASCII characters with ASCII where possible. This behaviour can be deactivated using the --raw flag.

Finding defanged IOCs in text

cat suspcicious_document.txt | iocide

Refanging detected IOCs

cat suspicious_document.txt | iocide --refang

Finding a specific IOC type

cat suspicious_document.txt | iocide url
cat suspcisious_document.txt | iocide --refang url

Finding obfuscated text

cat suspicious_document.txt | iocide secrets

Filter output for unique values

cat suspicious_document.txt | iocide | sort | uniq

Python Interface

import iocide


some_raw_text = ...

# Normalise text characters to ascii where possible
some_text = iocide.normalise(some_raw_text)

# extract_all will extract all known IOC types

for defanged_ioc in iocide.extract_all(text=some_text, refang=False):
	...

for refanged_ioc in iocide.extract_all(text=some_text, refang=True):
	...

# Use the appropriate submodule to extract a specific IOC type
# e.g. for url:

for defanged_url in iocide.url.extract(text=some_text, refang=False):
	...

for refanged_url in iocide.url.extract(text=some_text, refang=True):
	...

# To find obfuscated text, use blobs.extract_text and specify a recursion depth
# for the refang value

for secret_text in iocide.blobs.extract_text(text=some_text, refang=2):
	...

To facilitate advanced use of detected IOC values, generated values are instances of appropriate built-in Python types. For example, URL values are instances of urllib.parse.ParseResult.

Some IOC types don't correspond to a built-in Python type (such as hashes), and are generated as str objects.

All generated values can be converted to strings by calling the str constructor:

str(defanged_url)
str(refanged_url)

Custom subclasses have been used to faciliate str construction and defanged text preservation where necessary. These subclasses can be inspected in the relevant module.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

iocide-0.1.0a2-py3-none-any.whl (19.5 kB view details)

Uploaded Python 3

File details

Details for the file iocide-0.1.0a2-py3-none-any.whl.

File metadata

  • Download URL: iocide-0.1.0a2-py3-none-any.whl
  • Upload date:
  • Size: 19.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.5.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.8.5

File hashes

Hashes for iocide-0.1.0a2-py3-none-any.whl
Algorithm Hash digest
SHA256 25a72415ca5f218bdea340859696be6c0e4724e4d7d4e07708d8645ef033418e
MD5 50856cf74af3b837d33a6dab9209935a
BLAKE2b-256 e06cb55c983545285a6e403936d856c25821e2ad7c85a2e22cf5caeac1a76455

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page