Indicators of Compromise#

Reference catalog of the indicator types that show up in CTI feeds, detections, hunts, and incident-response notes. Each row gives the indicator, what it identifies, a regex pattern an operator can use to extract it from logs / text, and one or two real-world examples. Patterns are PCRE-flavoured (Perl / PHP / Python re compatible); adjust anchors and word boundaries when wrapping into grep -E (escape {}) or ripgrep.

For tooling that consumes these patterns at scale, see YARA (file content), Sigma (log queries), and STIX 2.1 indicator objects.

Network#

Indicator

Identifies

Regex

Example

IPv4 address

Host on an IP network.

\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b

8.8.8.8

IPv4 CIDR

Network block / subnet.

\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)/(?:3[0-2]|[12]?\d)\b

10.0.0.0/8

IPv6 address

Host on an IPv6 network (loose form).

\b(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{1,4}\b

2001:db8::1

MAC address

Layer-2 hardware address.

\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b

00:1b:21:3a:7c:9f

FQDN / hostname

DNS-resolvable name.

\b(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,63}\b

c2.example.com

Defanged domain

Common CTI-share-safe form.

\b[a-zA-Z0-9][a-zA-Z0-9.-]*\[\.\][a-zA-Z]{2,63}\b

c2[.]example[.]com

URL

Resource locator.

\bhttps?://[^\s<>"'()]+

https://example.com/path?q=1

Defanged URL

URL with neutered scheme / dots.

\bhxxps?://[^\s<>"'()]+

hxxps://example[.]com/path

Email address

Mailbox.

\b[A-Za-z0-9._%+-]+@(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,}\b

operator@example.com

ASN

Autonomous System number.

\bAS(\d{1,10})\b

AS13335

Port

TCP / UDP port number (1-65535).

\b(?:6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]?\d{1,4})\b

443

User-Agent

HTTP client signature.

\bMozilla/[\d.]+ \([^)]+\)[^\n]*

Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

JA3 / JA3S fingerprint

TLS client / server fingerprint.

\b[a-f0-9]{32}\b

a0e9f5d64349fb13191bc781f81f42e1

JARM fingerprint

TLS server JARM (62-char).

\b[a-f0-9]{30}[a-f0-9_]{32}\b

2ad2ad0002ad2ad00041d41d00041d...

File#

Indicator

Identifies

Regex

Example

MD5 hash

128-bit message digest (legacy).

\b[A-Fa-f0-9]{32}\b

d41d8cd98f00b204e9800998ecf8427e

SHA-1 hash

160-bit digest (legacy).

\b[A-Fa-f0-9]{40}\b

da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA-256 hash

256-bit digest (primary IOC form).

\b[A-Fa-f0-9]{64}\b

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA-384 hash

384-bit digest.

\b[A-Fa-f0-9]{96}\b

38b060a751ac9638...

SHA-512 hash

512-bit digest.

\b[A-Fa-f0-9]{128}\b

cf83e1357eefb8bd...

ssdeep fuzzy hash

Context-triggered piecewise hash.

\b\d{1,5}:[A-Za-z0-9+/]+:[A-Za-z0-9+/]+\b

3072:abc...:xyz...

imphash

PE import-table hash (MD5).

\b[A-Fa-f0-9]{32}\b

f34d5f2d4577ed6d9ceec516c1f5a744

PE rich header hash

Rich-header-derived fingerprint.

\b[A-Fa-f0-9]{32,64}\b

b2dc8b9d2dca1...

Filename (Windows)

File-system filename.

\b[\w()\-.\[\] ]{1,250}\.(?:exe|dll|sys|scr|com|cmd|bat|ps1|vbs|js|wsf|hta|lnk|chm|msi|iso|img|vhd)\b

svc-host.exe

File path (Windows)

Absolute path.

[A-Za-z]:\\(?:[^<>:"/\\|?*\r\n]+\\)*[^<>:"/\\|?*\r\n]+

C:\Users\op\AppData\Roaming\Microsoft\evil.dll

File path (POSIX)

Absolute path on Linux / macOS.

(?:/[^/\0\s]+)+/?

/var/tmp/.X11-unix/x0/payload

Mutex / named pipe

Inter-process synchronization name.

\b(?:Global|Local)\\[A-Za-z0-9_{}\-]{3,}\b

Global\Locky_v3

Process / Host#

Indicator

Identifies

Regex

Example

Windows registry key

HKEY tree path.

\b(?:HKLM|HKCU|HKCR|HKU|HKCC|HKEY_[A-Z_]+)\\(?:[^\\\r\n]+\\?)+\b

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Service name (Windows)

SCM service.

\b[A-Za-z][A-Za-z0-9_]{0,255}\b (filter by context).

WinDefendUpdate

Scheduled task path

Task-scheduler path.

\\(?:Microsoft\\Windows\\)?[A-Za-z0-9 _\-]+(?:\\[A-Za-z0-9 _\-]+)*

\Microsoft\Windows\WindowsUpdate\sihboot

PowerShell EncodedCommand

Base64-encoded PS payload.

(?i)\bpowershell(?:\.exe)?\s+(?:-\w+\s+)*-[eE][nN][cC]?(?:odedCommand)?\s+([A-Za-z0-9+/=]{20,})

powershell -enc JABzAGMA...

WMI EventConsumer

WMI-persistence stub.

\b(?:ActiveScript|CommandLine)EventConsumer\b

CommandLineEventConsumer

LOLBin name

Living-off-the-land binary.

\b(?:certutil|bitsadmin|mshta|rundll32|regsvr32|wmic|cscript|wscript|msbuild|installutil|regasm|csc|ngen|odbcconf|forfiles|finger|esentutl)\.exe\b

rundll32.exe

Identity#

Indicator

Identifies

Regex

Example

Username (SAM)

Local Windows account name.

\b[A-Za-z][A-Za-z0-9._-]{0,19}\b (context-filter).

svc_backup

UPN / domain user

DOMAINuser or user@upn.

\b(?:[A-Za-z0-9._-]+\\[A-Za-z0-9._-]+|[A-Za-z0-9._-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,})\b

CORP\admin or admin@corp.local

SID (Windows)

Security identifier.

\bS-1-(?:\d+-){1,14}\d+\b

S-1-5-21-3623811015-3361044348-30300820-1013

GUID / UUID

Globally unique identifier.

\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b

5e69d8c1-2eaa-4d63-9c1c-87b09c8d4a3a

JWT

JSON Web Token.

\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b

eyJhbGciOiJIUzI1NiJ9.eyJzdWIi...

AWS access key ID

IAM credential prefix.

\b(?:AKIA|ASIA)[A-Z0-9]{16}\b

AKIAIOSFODNN7EXAMPLE

AWS secret access key

40-char secret (often quoted).

(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])

wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

GCP service-account key

JSON file private-key field.

-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----

-----BEGIN PRIVATE KEY-----\nMIIEvQ...

Slack bot token

Slack OAuth bot token.

\bxox[abprs]-[A-Za-z0-9-]{10,}\b

xoxb-1234-5678-abcdEFGH

GitHub PAT (classic)

Personal access token.

\bghp_[A-Za-z0-9]{36}\b

ghp_8gT...

GitHub PAT (fine-grained)

2022+ fine-grained PAT.

\bgithub_pat_[A-Za-z0-9_]{82}\b

github_pat_11A...

Crypto / Web3#

Indicator

Identifies

Regex

Example

Bitcoin address (Base58)

Legacy P2PKH (1…) or P2SH (3…).

\b[13][1-9A-HJ-NP-Za-km-z]{25,34}\b

1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

Bitcoin address (Bech32)

Native SegWit (bc1…).

\bbc1[02-9ac-hj-np-z]{6,87}\b

bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq

Ethereum address

EVM account / contract.

\b0x[a-fA-F0-9]{40}\b

0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe

Monero address

95-char Base58 (4… or 8…).

\b[48][1-9A-HJ-NP-Za-km-z]{94}\b

49ZbcZmJ2...

Solana address

32-44 char Base58 (no leading 0).

\b[1-9A-HJ-NP-Za-km-z]{32,44}\b

9WzDXwBbm...

PGP fingerprint

40-char hex (with optional spaces).

\b(?:[A-F0-9]{4} ?){10}\b

DB72 36CF E84D 33D9 14D6 ...

Detection / catalog#

Indicator

Identifies

Regex

Example

CVE

Common Vulnerabilities and Exposures.

\bCVE-\d{4}-\d{4,7}\b

CVE-2021-44228

CWE

Common Weakness Enumeration.

\bCWE-\d{1,4}\b

CWE-79

CAPEC

Common Attack Pattern Enumeration.

\bCAPEC-\d{1,4}\b

CAPEC-66

MITRE ATT&CK technique

Technique / sub-technique.

\bT\d{4}(?:\.\d{3})?\b

T1059.001

MITRE ATT&CK tactic

Tactic identifier.

\bTA\d{4}\b

TA0001

MITRE ATT&CK group

Threat-actor group.

\bG\d{4}\b

G0016

MITRE ATT&CK software

Tool / malware family.

\bS\d{4}\b

S0002

MITRE ATT&CK mitigation

Defensive control.

\bM\d{4}\b

M1042

MITRE ATT&CK data source

Data-source ID.

\bDS\d{4}\b

DS0017

YARA rule name

Identifier inside rule <name>.

(?im)^\s*rule\s+([A-Za-z_][A-Za-z0-9_]{0,127})

rule LummaStealer_string_a

Sigma rule id (UUID)

id: value in Sigma front-matter.

(?im)^id:\s*\b([0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})\b

id: 5e69d8c1-2eaa-4d63-9c1c-87b09c8d4a3a

STIX 2.1 indicator id

STIX SDO identifier.

\bindicator--[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b

indicator--3a8d72d5-d3e8-49ae-9f1e-2c7d63a5e8f3

CVSS v3 vector

Severity-vector string.

\bCVSS:3\.(?:0|1)/[A-Z:/0-9.]+\b

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 vector

2023+ vector form.

\bCVSS:4\.0/[A-Z:/0-9.]+\b

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H

Pivots#

From

To

SHA-256

VirusTotal (vt.com/file/<hash>), MalwareBazaar (bazaar.abuse.ch/sample/<hash>), ANY.RUN (any.run/report/<hash>).

Domain

urlscan.io (urlscan.io/domain/<domain>), Censys (search.censys.io/hosts?q=<domain>), passive-DNS providers.

IPv4

Shodan (shodan.io/host/<ip>), Censys, GreyNoise (viz.greynoise.io/ip/<ip>), AbuseIPDB.

JA3

SSLBL JA3 db, JA3er, Salesforce ja3 hash db.

YARA hit

Malpedia / MalwareBazaar tag, Mandiant family page, related YARA on YARAify.

Crypto address

Chainalysis Public Tools (public.chainalysis.com), Etherscan, blockchain.info, OFAC SDN list.

References#