Python-Iocextract – Advanced Indicator Of Compromise (IOC) Extractor

Python-Iocextract – Advanced Indicator Of Compromise (IOC) Extractor

Python-Iocextract – Advanced Indicator

Python-Iocextract - Advanced Indicator Of Compromise (IOC) Extractor |  GoVanguard Threat Center

This library extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. It includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them.
The Problem
It is common practice for malware analysts or endpoint software to “defang” IOCs such as URLs and IP addresses, in order to prevent accidental exposure to live malicious content. also Being able to extract and aggregate these IOCs is often valuable for analysts. Unfortunately, existing “IOC extraction” tools often pass right by them, also as they are not caught by standard regex.
For example, the simple defanging technique of surrounding periods with brackets:

Existing tools that use a simple IP address regex will ignore this IOC entirely.
The Solution
By combining specially crafted regex with some custom postprocessing, we are able to both detect and deobfuscate “defanged” IOCs. This saves time and effort for the analyst, who might otherwise have to manually find and convert IOCs into a machine-readable format.
You may need to install the Python development headers in order to install the regex dependency. also On Ubuntu/Debian-based systems, try:
sudo apt-get install python-dev
Then install iocextract from pip:
pip install iocextract
If you have problems installing on Windows, try installing regex directly by downloading the appropriate wheel from PyPI and running e.g.:


You can also buy instant:


Cashapp Money Transfer Click here

Paypal Money Transfer Click here

Western Union  Money Transfer Click here

Venmo Money Transfer Click here

Bank Money Transfer Click here to Contact Us

Leave a Reply