Skip to content
/ ioctool Public

Rex-ing indicators out of unstructured text (like an e-mail)

License

Notifications You must be signed in to change notification settings

cfalta/ioctool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

ioctool

Despite having MISPs and similar products around, you might occassionally come to the point where you get IOCs (indicators of compromise) sent to you in an unstructured format like an email body, a text file, an excel spreadsheet and so on. So I wrote a script that usese regex to carve the most common indicator types (IP, MD5, SHA1, SHA256, URL) directly out of your clipboard. That way, you can just Ctrl+A/Ctrl+C the whole text and then run ioctool - done.

Usage

# Load into your current powershell host
. ioctool.ps1

# Use Ctrl+C to copy the text containing IOCs into your clipboard, then run ioctool
ioctool

# The script will automatically carve indicators out of the text and show you a summary. You can then write everything or only selected types of indicators back to the clipboard and move on from there.

Example

Let's take this article by CISA on QakBot as an example. CISA also provides their indicators in STIX format but let's assume you'd only have the article. It contains a bunch of defanged IPs and one SHA256 hash. Using ioctool, you can carve the website and extract the indicators quickly.

Just Ctrl+A/Ctrl+C the whole site and run ioctool.

Screenshot 2024-01-23 124441

About

Rex-ing indicators out of unstructured text (like an e-mail)

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published