What are IOCs and How to Collect Them

Gathering malware data helps defend against future attacks. The information from analyzing samples can be divided into two kinds: artifacts and indicators of compromise (IOCs).?

While artifacts provide a broad range of data for analyzing security incidents, IOCs are specific pieces of evidence used to detect and respond to known threats.?

Threat hunters can use IOCs to: ?

• Match them against current network activity to spot attacks.?

• Check if unusual activities are actual threats.?

• Add them to security tools to improve detection.?

Types of IOCs?

• Network-based: Unusual traffic patterns, connections to malicious IP addresses, domains, or URLs, and other signs of suspicious activity on a network.??

• Host-based: Suspicious activities on a workstation or server, including unusual file activity, changes to system configurations, or suspicious processes running on a host.??

• File-based: Suspicious file names, hashes, or file paths. ?

• Behavioral: Multiple failed login attempts, irregular login times, or abnormal user activity.??

• Metadata: Metadata associated with files or documents, including the file's author, creation date, or version history, which might indicate tampering or unauthorized access.?

Collect IOCs with ANY.RUN?

#ANYRUN turns a labor-intensive process of extracting and collecting IOCs into a much simpler job. With our services, you can gather IOCs in several ways.?

Our interactive sandbox automatically extracts important IOCs from malware and phishing samples, providing you with detailed summaries.?

? 1?? Simply upload your file or URL to the sandbox and pick your VM setup. Sign up for a free account.?

2?? Launch analysis to observe the malicious behavior in real time and interact with the sample if needed.?

3?? Once analysis is finished, you will receive an IOC summary and a final threat report that you can share and download in JSON or HTML format.?

Check out an IOC summary for a Remcos malware sample in this analysis session.

You can also access IOC summaries and threat reports in any other public analysis session.?

Just navigate to the Public Submissions section to choose from thousands of reports.?

Enrich Your IOC?Sets in Threat Intelligence Lookup?

Threat Intelligence (TI) Lookup is another service from #ANYRUN that is guaranteed to be useful in your threat hunting and analysis efforts.

It lets you search across 2TB of threat data extracted from millions of public malware analysis sessions launched in our sandbox. It supports over 40 query parameters and their combinations.?

Here is an example query for finding domains used by the AsyncRAT malware:?

ThreatName:”asyncrat” AND domainName:””?

TI Lookup returns over 360 domain results. Many of them are labeled with the malconf tag, which indicates that they were extracted directly from the malware’s code. ?

You can investigate individual domains to find sandbox sessions where they were detected.?

Use Malware Trends Tracker?

Another way to collect IOCs is to head over to the Malware Trends Tracker.

Here, you can:?

• See what malware families are most active right now.?

• Read insightful articles on over 90 malware strains?

• See recent sandbox sessions?

• And, of course, collect IOCs.?

Analyze and Investigate Cyber Threats with ANY.RUN

Strengthen your security with #ANYRUN’s malware analysis and threat intelligence capabilities.?

Create free account to start with your next analysis right away ???