IOCs Extraction

LAST UPDATED: AUG 08, 2024

This command identifies, classifies, and writes indicators of compromise (IOCs), such as URLs and IP addresses, into a structured JSON format.

Implementation	Python
Command Category	System Utility
Tags	ARTIFACT IOC

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Raw Text

Required

The raw data from which the IOCs will be extracted

CODE

Visit our website: https://example.com/store For support, contact us via XMPP at user@xmpp.example.com or email at admin@company.com
Our network segment: 192.168.100.0/24
Our main office is located at 192.168.1.101
IPv6 address for our server: 3ffe:1900:4545:3:200:f8ff:fe21:67cf
Checksum for verification: e3b0c44298fc1c149afbf4c8996f04725daac5675fbb3b1458bacf7907cb3a44, da39a3ee5e6b4b0d3255bfef95601890afd80709, d41d8cd98f00b204e9800998ecf8427e, 6f9c15fa7f93a253d0fc9d9d3458b9a2
For deeper analysis, our fuzzy hash is 200:f8ff:fe21
Our network ASN is ASN12345
Stay updated with security patches, notably CVE-2021-3456
Configure using registry at HKEY_LOCAL_MACHINE\SOFTWARE\Example
Track our site traffic with Google Analytics UA-1234567-8
Contribute via Bitcoin at 1BoatSLRHtKNngkdXEeobR76b53LETtpyT
Our device MAC address is 00:1A:2B:3C:4D:5E
Our recommended browser settings are Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/58.0.3029.110 Safari/537.36
Check our file at C:\Users\Public\Documents\example_file.txt
For advanced users, explore our system mitigation techniques like T1001 and T1055 in our enterprise systems.
Internet domain names.
This can be standard web domains(http://example.com ), subdomains for updates or downloadable content updates.example.com/latest-update.zip
informational subdomains for blogs and resources(blog.example.org), internationalized domains

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "urls": [
        "https://example.com/store",
        "updates.example.com/latest-update.zip"
    ],
    "xmpp_addresses": [
        "user@xmpp.example.com"
    ],
    "email_addresses_complete": [
        "admin@company.com"
    ],
    "email_addresses": [
        "admin@company.com"
    ],
    "ipv4_cidrs": [
        "192.168.100.0/24"
    ],
    "imphashes": [],
    "authentihashes": [],
    "domains": [
        "blog.example.org",
        "updates.example.com",
        "xn--fsq.com",
        "latest-update.zip",
        "company.com",
        "example.com",
        "xmpp.example.com"
    ],
    "ipv4s": [
        "192.168.1.101",
        "192.168.100.0"
    ],
    "ipv6s": [
        "3ffe:1900:4545:3:200:f8ff:fe21:67cf"
    ],
    "sha512s": [],
    "sha256s": [
        "e3b0c44298fc1c149afbf4c8996f04725daac5675fbb3b1458bacf7907cb3a44"
    ],
    "sha1s": [
        "da39a3ee5e6b4b0d3255bfef95601890afd80709"
    ],
    "md5s": [
        "d41d8cd98f00b204e9800998ecf8427e",
        "6f9c15fa7f93a253d0fc9d9d3458b9a2"
    ],
    "ssdeeps": [
        "200:f8ff:fe21"
    ],
    "asns": [
        "ASN12345"
    ],
    "cves": [
        "CVE-2021-3456"
    ],
    "registry_key_paths": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Example"
    ],
    "google_adsense_publisher_ids": [],
    "google_analytics_tracker_ids": [
        "UA-1234567-8"
    ],
    "bitcoin_addresses": [
        "1BoatSLRHtKNngkdXEeobR76b53LETtpyT"
    ],
    "monero_addresses": [],
    "mac_addresses": [
        "00:1A:2B:3C:4D:5E"
    ],
    "user_agents": [
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Check our file at"
    ],
    "tlp_labels": [],
    "attack_mitigations": {
        "enterprise": [],
        "mobile": []
    },
    "attack_tactics": {
        "pre_attack": [],
        "enterprise": [],
        "mobile": []
    },
    "attack_techniques": {
        "pre_attack": [],
        "enterprise": [
            "T1055",
            "T1001"
        ],
        "mobile": []
    },
    "file_paths": [
        "C:\\Users\\Public\\Documents\\example_file.txt"
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/IOCsExtraction

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Raw Text": <Raw text here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Raw Text	`string`	Required	The raw data from which the IOCs will be extracted

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Raw Text": "Visit our website: https://example.com/store For support, contact us via XMPP at user@xmpp.example.com or email at admin@company.com Our network segment: 192.168.100.0/24 Our main office is located at 192.168.1.101 IPv6 address for our server: 3ffe:1900:4545:3:200:f8ff:fe21:67cf Checksum for verification: e3b0c44298fc1c149afbf4c8996f04725daac5675fbb3b1458bacf7907cb3a44, da39a3ee5e6b4b0d3255bfef95601890afd80709, d41d8cd98f00b204e9800998ecf8427e, 6f9c15fa7f93a253d0fc9d9d3458b9a2 For deeper analysis, our fuzzy hash is 200:f8ff Our network ASN is ASN12345 Stay updated with security patches, notably CVE-2021-3456 Configure using registry at HKEY_LOCAL_MACHINE\SOFTWARE\Example Track our site traffic with Google Analytics UA-1234567-8 Contribute via Bitcoin at 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Our device MAC address is 00:1A:2B:3C:4D:5E Our recommended browser settings are Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Check our file at C:\Users\Public\Documents\example_file.txt For advanced users, explore our system mitigation techniques like T1001 and T1055 in our enterprise systems. Internet domain names. This can be standard web domains (example.com), subdomains for updates or downloadable content updates.example.com/latest-update.zip, informational subdomains for blogs and resources (blog.example.org), internationalized domains (xn--fsq.com). System commands are view only. To make change to the code, clone the command and edit it in the new command."
  }
}

Response

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": {
        "urls": [
            "https://example.com/store",
            "updates.example.com/latest-update.zip"
        ],
        "xmpp_addresses": [
            "user@xmpp.example.com"
        ],
        "email_addresses_complete": [
            "admin@company.com"
        ],
        "email_addresses": [
            "admin@company.com"
        ],
        "ipv4_cidrs": [
            "192.168.100.0/24"
        ],
        "imphashes": [],
        "authentihashes": [],
        "domains": [
            "blog.example.org",
            "updates.example.com",
            "xn--fsq.com",
            "latest-update.zip",
            "company.com",
            "example.com",
            "xmpp.example.com"
        ],
        "ipv4s": [
            "192.168.1.101",
            "192.168.100.0"
        ],
        "ipv6s": [
            "3ffe:1900:4545:3:200:f8ff:fe21:67cf"
        ],
        "sha512s": [],
        "sha256s": [
            "e3b0c44298fc1c149afbf4c8996f04725daac5675fbb3b1458bacf7907cb3a44"
        ],
        "sha1s": [
            "da39a3ee5e6b4b0d3255bfef95601890afd80709"
        ],
        "md5s": [
            "d41d8cd98f00b204e9800998ecf8427e",
            "6f9c15fa7f93a253d0fc9d9d3458b9a2"
        ],
        "ssdeeps": [
            "200:f8ff:fe21"
        ],
        "asns": [
            "ASN12345"
        ],
        "cves": [
            "CVE-2021-3456"
        ],
        "registry_key_paths": [
            "HKEY_LOCAL_MACHINE\\SOFTWARE\\Example"
        ],
        "google_adsense_publisher_ids": [],
        "google_analytics_tracker_ids": [
            "UA-1234567-8"
        ],
        "bitcoin_addresses": [
            "1BoatSLRHtKNngkdXEeobR76b53LETtpyT"
        ],
        "monero_addresses": [],
        "mac_addresses": [
            "00:1A:2B:3C:4D:5E"
        ],
        "user_agents": [
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Check our file at"
        ],
        "tlp_labels": [],
        "attack_mitigations": {
            "enterprise": [],
            "mobile": []
        },
        "attack_tactics": {
            "pre_attack": [],
            "enterprise": [],
            "mobile": []
        },
        "attack_techniques": {
            "pre_attack": [],
            "enterprise": [
                "T1055",
                "T1001"
            ],
            "mobile": []
        },
        "file_paths": [
            "C:\\Users\\Public\\Documents\\example_file.txt"
        ]
    }
}