ioc explorer: Explore Indicators of Compromise Automatically
IOC Explorer – Explore IOCs Automatically
Correlating Indicator of Compromise (IOC) is a key part of incident investigation even threat hunting. Finding one IP address hosting several known malicious files would help SOC teams to implement more effective countermeasure by blocking that IP address. However, building a correlation usually means a lot of manual work, like searching for multiple IOCs across different threat intelligence sources (community sources or private sources). Sometimes, correlation can only be found after several iterative queries.
IOC Explorer aims to execute iterative queries across multiple threat intelligence sources automatically. It may assist security analyst to find more clues for investigation.
Threat Intelligence Sources
Plenty of TI sources exist in the cybersecurity field. As a start, IOC Explorer supports the following sources:
- VirusTotal, both public and private data available
- QiAnXin, only private data
A summary of IOC relations is following,
| Source | Type | Relation | Explanation |
|---|---|---|---|
| VirusTotal | Public and private | Ip -> file | Files downloaded from the IP address |
| VirusTotal | Public and private | Domain -> file | Files downloaded from the domain |
| VirusTotal | Public and private | Domain -> ip | DNS resolutions for the domain |
| VirusTotal | Public and private | File -> ip | IP addresses contacted by the file |
| VirusTotal | Public and private | File -> domain | Domains contacted by the file |
| VirusTotal | Public and private | File -> file | Files that executed the file |
| QiAnXin | Private | Domain -> ip | DNS resolutions (A record) for the domain |
| QiAnXin | Private | Domain -> email | Registrant email for the domain in Whois record |
| QiAnXin | Private | Email -> domain | Domain names registered in the same email |
| QiAnXin | Private | File -> ip | IP addresses contacted by the file |
| QiAnXin | Private | File -> domain | Domains contacted by the file |
You can contact me for public available sources. Or you add your private sources by yourself.
Usage in Details
Initial Configuration
There are some settings to configure before the first run. Basically, all settings stored in ‘config.ini’ file can be split into two categories: query behavior setting and threat intelligence setting.
‘depth’ setting in the ‘general’ section is an important query behavior setting. It defines the times of iterative queries, which will query intelligence sources based on IOCs returned on previous queries. Default setting is ‘depth=3’. If the user increases the value, the tool carries additional queries on previous returned IOCs.
Each threat intelligence has its own but different settings. However, the API key is the most common setting for intelligence sources, which is also required.
Input IOC
Currently, 4 IOC types are supported, namely as followings,
- email address (ioc_type=’email’)
- file hash (ioc_type=’file’) Note: md5/sha1/sha256 are supported
- ip address (ioc_type=’ip_address’)
- domain name (ioc_type=’domain’)
CSV file (by default, ./ioc.csv) is the place to input IOC for query. The CSV file has following format for data,
IOC_type, IOC_value
For example,
Output Result
After querying multiple threat intelligence sources, IOC Explorer will collect all returned IOCs and output them in a well-organized way.
This tool supports two output formats: plain-text and JSON.
IOCs in plain-text is organized in tree style, like followings:
Default output directory is ‘./results’. Filename follows this naming rule: {ioc_value}depth{depth_value}_{timestamp}, like ‘192.99.142.235_depth_3_201907171110.txt’
More sample results are given in ‘./samples’ directory for reference.
Install
Copyright (c) 2019 lion-gu
