Extracting Indicators of Compromise
Extracting Indicators of Compromise
IOC extraction supports detection and hunting:
Network IOCs:
- IP addresses
- Domain names
- URLs
- User agents
- SSL certificates
- Port numbers
Host-based IOCs:
- File hashes
- File paths
- Registry keys
- Mutex names
- Service names
- Process names
YARA Rule Creation:
rule Malware_Example {
meta:
description = "Detects Example Malware"
author = "Security Team"
date = "2024-01-01"
strings:
$string1 = "malicious.exe"
$string2 = {48 65 6C 6C 6F} // Hex pattern
$string3 = /[a-z]{5}\.com/
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 1MB and
any of ($string*)
}