Regex Patterns for Extracting IOCs
Indicators of compromise (IOCs) are scattered through malware reports, incident logs, and threat intel feeds as unstructured text. Regex patterns let you extract them systematically. A good set of IOC extraction patterns turns a wall of text into actionable intelligence you can feed into blocklists and detection rules.
Try it now
Regex Tester
Runs in your browser, nothing leaves your device.
IPv4 addresses: `\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b`. MD5 hashes: `\b[a-fA-F0-9]{32}\b`. SHA-256 hashes: `\b[a-fA-F0-9]{64}\b`. URLs: `https?://[^\s"'<>]+`. Defanged IOCs need adjusted patterns: `hxxp` instead of `http`, `[.]` instead of `.`, `[@]` instead of `@`.
Threat reports defang IOCs to prevent accidental clicks: `hxxps://evil[.]com` instead of `https://evil.com`. Build patterns that match both forms: replace `\.` with `[.\[]\.]?` in your domain regex. Or normalize the text first by replacing `[.]` with `.` and `hxxp` with `http` before running extraction patterns.
Examples
Extract SHA-256 hashes from text
Pattern: \b[a-fA-F0-9]{64}\b
Matches: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Security context
Automated IOC extraction is essential for incident response. Manually copying IP addresses and hashes from a 50-page malware report is error-prone and slow. A set of well-tested regex patterns turns that into a 30-second operation.
Frequently asked
A defanged indicator of compromise has been modified so it's not clickable or resolvable. Common defanging: replacing . with [.], http with hxxp, and @ with [@]. This prevents accidental navigation to malicious URLs when sharing threat intel.
Go deeper
Continue in the Web Security Academy
Related techniques
Email Header Analysis
Parse email headers to trace message origin, verify SPF/DKIM/DMARC authentication, and detect spoofed sender addresses in phishing emails.
Detecting Phishing URLs: Indicators and Techniques
Analyze URLs for phishing indicators: typosquatting, homoglyph attacks, suspicious subdomains, URL shortener abuse, and credential harvesting parameters.