Extract indicators of compromise from text, including "escaped" ones.
Extract indicators of compromise from text, including "escaped" ones like hxxp://banana.com
, 1.1.1[.]1
and phish at malicious dot com
.
Download a precompiled binary from https://github.com/assafmo/xioc/releases
Or... Use go get
:
go get -u github.com/assafmo/xioc
Or... Use snap install (Ubuntu):
snap install xioc
Or use Ubuntu PPA:
curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add -
sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list
sudo apt update
sudo apt install xioc
(dot)
, [dot]
, (.)
, [.]
, {.}
to .
.(at)
, [at]
, (@)
, [@]
, {@}
to @
.hxxp
, hzzzp
, hxxxp
, hXXp
, h__p
, h**p
to http
.$ xioc -h
Usage of xioc:
-o string
Extract only specified types.
Types must be comma seperated. E.g: xioc -o "ip4,domain,url,md5"
Available types:
- ip4
- ip6
- domain
- url
- email
- md5
- sha1
- sha256
-v Print version and exit
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc
sha256 5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
domain energy.gov.mn
email [email protected]
sha256 10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
# ...
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc -o email,sha256
sha256 5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
email [email protected]
sha256 10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
email [email protected]
# ...
package main
import (
"fmt"
"github.com/assafmo/xioc/xioc"
)
func main() {
input := `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
banana.com
hxxp://i.robot.com/robots.txt
1.2.3.4
1.1.1[.]1
info at gmail dot com
hxxps://m.twitter[dot]com/`
fmt.Println(xioc.ExtractDomains(input)) // => [i.robot.com m.twitter.com gmail.com banana.com]
fmt.Println(xioc.ExtractSHA256s(input)) // => [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
fmt.Println(xioc.ExtractMD5s(input)) // => []
fmt.Println(xioc.ExtractIPv4s(input)) // => [1.2.3.4 1.1.1.1]
fmt.Println(xioc.ExtractURLs(input)) // => [http://i.robot.com/robots.txt https://m.twitter.com/]
fmt.Println(xioc.ExtractEmails(input)) // => [[email protected]]
}