• Stars
    star
    162
  • Rank 232,284 (Top 5 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 6 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Extract indicators of compromise from text, including "escaped" ones.

xioc

Extract indicators of compromise from text, including "escaped" ones like hxxp://banana.com, 1.1.1[.]1 and phish at malicious dot com.

CircleCI Coverage Status Go Report Card GoDoc

Installation

  • Download a precompiled binary from https://github.com/assafmo/xioc/releases

  • Or... Use go get:

    go get -u github.com/assafmo/xioc
  • Or... Use snap install (Ubuntu):

    snap install xioc
  • Or use Ubuntu PPA:

    curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add -
    sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list
    sudo apt update
    sudo apt install xioc

Features

  • Extract IOCs (indicators of compromise) from an input text:
    • IPv4
    • IPv6
    • Domain
    • URL
    • Email
    • MD5
    • SHA1
    • SHA256
  • Translate some kinds of "escaping"/"defanging" techniques:
    • (dot), [dot], (.), [.], {.} to ..
    • (at), [at], (@), [@], {@} to @.
    • hxxp, hzzzp, hxxxp, hXXp, h__p, h**p to http.
  • Command line interface
  • Go library

Command line usage

$ xioc -h
Usage of xioc:
  -o string
        Extract only specified types.
        Types must be comma seperated. E.g: xioc -o "ip4,domain,url,md5"
        Available types:
                - ip4
                - ip6
                - domain
                - url
                - email
                - md5
                - sha1
                - sha256
  -v    Print version and exit
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc
sha256  5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
domain  energy.gov.mn
email   [email protected]
sha256  10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
# ...
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc -o email,sha256
sha256  5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
email   [email protected]
sha256  10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
email   [email protected]
# ...

Library usage

Full API:
GoDoc

package main

import (
	"fmt"

	"github.com/assafmo/xioc/xioc"
)

func main() {
	input := `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
	banana.com
	hxxp://i.robot.com/robots.txt
	1.2.3.4
	1.1.1[.]1
	info at gmail dot com
	hxxps://m.twitter[dot]com/`

	fmt.Println(xioc.ExtractDomains(input)) // => [i.robot.com m.twitter.com gmail.com banana.com]
	fmt.Println(xioc.ExtractSHA256s(input)) // => [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
	fmt.Println(xioc.ExtractMD5s(input))    // => []
	fmt.Println(xioc.ExtractIPv4s(input))   // => [1.2.3.4 1.1.1.1]
	fmt.Println(xioc.ExtractURLs(input))    // => [http://i.robot.com/robots.txt https://m.twitter.com/]
	fmt.Println(xioc.ExtractEmails(input))  // => [[email protected]]
}

Sources