Forensics & Analysis · 1 min read

Regex Patterns for Extracting IOCs

Indicators of compromise (IOCs) are scattered through malware reports, incident logs, and threat intel feeds as unstructured text. Regex patterns let you extract them systematically. A good set of IOC extraction patterns turns a wall of text into actionable intelligence you can feed into blocklists and detection rules.

Try it now

Regex Tester

Runs in your browser, nothing leaves your device.

IPv4 addresses: `\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b`. MD5 hashes: `\b[a-fA-F0-9]{32}\b`. SHA-256 hashes: `\b[a-fA-F0-9]{64}\b`. URLs: `https?://[^\s"'<>]+`. Defanged IOCs need adjusted patterns: `hxxp` instead of `http`, `[.]` instead of `.`, `[@]` instead of `@`.

Threat reports defang IOCs to prevent accidental clicks: `hxxps://evil[.]com` instead of `https://evil.com`. Build patterns that match both forms: replace `\.` with `[.\[]\.]?` in your domain regex. Or normalize the text first by replacing `[.]` with `.` and `hxxp` with `http` before running extraction patterns.

Extract SHA-256 hashes from text

Input
Pattern: \b[a-fA-F0-9]{64}\b
Result
Matches: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Security context

Automated IOC extraction is essential for incident response. Manually copying IP addresses and hashes from a 50-page malware report is error-prone and slow. A set of well-tested regex patterns turns that into a 30-second operation.

A defanged indicator of compromise has been modified so it's not clickable or resolvable. Common defanging: replacing . with [.], http with hxxp, and @ with [@]. This prevents accidental navigation to malicious URLs when sharing threat intel.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description