Threat intelligence became a hot topic for a while. The food of threat intelligence is based on IOCs (Indicators of Compromise) which contains technical information like:
- Files, path
- Hashes
- IP addresses
- Domains
- Users
Mixed with other sources of information or tools, they help in detecting malicious behaviors ofprograms or networks.They are plenty of sources to collect IOCs. Some are publicly available while others are compiled and maintained byorganizations for their customers or restricted users. DShieldis of course a good source of IP addresses but Lenny (another ISC handler)is maintaining a nice list of resource on his website(1). Usually, free services offer lists of IOCs in common format that are reusable in your own environment. But sometimes, you willfind interesting information published online. Many security researchers analyze pieces of malware and publish the results on their blog. Big organizations like to publish nice PDF reports containing juicy information. In both case, IOCs can be present but how to extract them automatically?
ioc-parser(2)is a nice Python script which might be very helpful in this case. It parses an input file and generates a list of IOCs in another format. It supports the following input formats: Text files, PDF files or HTML (URLs).Results can be generated in CSV, JSON, YARA or NetFlow. The idea is simple, it searches for patterns based on regular expressions. Everything is configurable and your own regexp can be added.
Here is the list of IOC">$./iocp.py -p patterns.ini -i pdf -l pypdf2 The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 2 Filename msi.dll
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 2 Filename klif.dll
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 2 Filename 12CTwoPENC.dll
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 2 Filename KMART.dll
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 2 Filename portserv.sys
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 3 URL https://en.wikipedia.org/wiki/Duqu
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 3 URL http://www.kaspersky.com/about/news/virus/2011/Duqu_The_Step_Brother_of_Stuxnet
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 3 URL http://70.auschwitz.org/index.php?lang=en
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 3 Host 70.auschwitz.org
The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 3 CVE CVE-2015-2360