WORK IN PROGRESS: This SOC tool is still under development. Some features, regex patterns, and SED commands may not work as expected. Analysts must identify and resolve any issues encountered.

Counter Hack Security Operations Center - Phishing Threat Analysis Station πŸŽ… Protecting our Neighbors ❄️

Email Viewer

Threat Intelligence Analysis

Extract IOCs

🚨 Step Objective: Extract IOCs 🚨

This phishing email may be connected to the mysterious Gnome activities reported throughout our neighborhood! Extracting IOCs (Indicators of Compromise) is essential to protect the Counter Hack Crew and identify the threat actors behind this campaign. Your mission:

  • Extract all suspicious domains, IPs, URLs, and email addresses

Use the tabs below to extract each IOC type from the email. Be sure not to include legitimate assets!

⏰ Time is critical – the attackers might be planning something bigger!

When you change a regex pattern and extract again, previous results will be replaced with new matches.
What are Domains?

Domains are human-readable web addresses (like example.com) that map to IP addresses. They often indicate the source or destination of malicious activity.

See the Reference tab for more regex patterns and help.

Domains

0

No domains extracted yet

What are IP Addresses?

IP addresses are numerical labels (like 192.168.1.1) that identify devices on a network. Malicious IPs may host command & control servers or malware.

See the Reference tab for more regex patterns and help.

IP Addresses

0

No IP addresses extracted yet

What are URLs?

URLs are web addresses (like http://example.com/path) that point to specific resources. Malicious URLs often lead to phishing sites or malware downloads.

See the Reference tab for more regex patterns and help.

URLs

0

No URLs extracted yet

Email Addresses

0

No email addresses extracted yet

Defang Selected IOCs

🚨 Step Objective: Defang IOCs 🚨

Defanging IOCs (Indicators of Compromise) is crucial to ensure that malicious content cannot be accidentally activated. This phishing campaign may be connected to the recent Gnome activities! Your mission:

  • Replace dots/periods with [.]
  • Replace @ in email addresses with [@]
  • Replace http with hxxp in URLs
  • Replace :// with [://] in URLs
  • Submit the defanged IOCs to the Counter Hack Security Team

⏰ Act fast – we don't know who is behind this phishing campaign!

Selected IOCs

Domains: 0
IPs: 0
URLs: 0
Emails: 0

Quick Defang:

Use SED format like s/\./[.]/g to replace dots with [.]. Chain multiple commands with semicolons: s/\./[.]/g; s/@/[@]/g

Defanged IOCs

0

No defanged IOCs yet

Threat Intelligence Report Preview

Review your defanged IOCs before submitting to the Counter Hack Security Team

Reference Materials

Regular Expressions

Helpful Resources
Regex101: Build & Test Regex RegExr: Learn, Build & Test Regex Quick Start Guide CyberChef: Defang IOCs
Common IOC Patterns
IPv4 Addresses: \d{1,3}\.\d{1,3}\.\d{1,3}
Domains: [a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+
Email Addresses: \b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b
URLs: http://[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+(:[0-9]+)?(/[^\s]*)?
MD5 Hashes: \b[a-fA-F0-9]{32}\b

SED Commands for Defanging

What is SED?

SED (Stream Editor) is a command-line utility that parses and transforms text. In security, we often use it to "defang" potentially malicious content using the format: s/pattern/replacement/g

SED uses forward slashes (/) as delimiters, so you need to escape any slashes in your pattern or replacement with a backslash: \/

Common Defanging Techniques
Replace dots with [.]: s/\./[.]/g
Replace @ with [@]: s/@/[@]/g
Replace :// with [://]: s/:\//[://]/g
Replace http with hxxp: s/http/hxxp/g
Multiple commands: s/\./[.]/g; s/@/[@]/g
Tips for SED Commands
  • Forward slashes (/) in your pattern need to be escaped with a backslash: \/
  • Dots (.) have special meaning in regex and need to be escaped to match literal dots: \.
  • Separate multiple commands with semicolons: s/a/b/g; s/c/d/g
  • The g flag after the last slash means "global" - replace all occurrences