There’s a semi-infrequent-but-frequent-enough-to-be-annoying manual task at $DAYJOB that involves extracting a particular set of strings (identifiable by a fairly benign set of regular expressions) from various interactive text sources (so, not static documents or documents easily scrape-able).
Rather than hack something onto Sublime Text or VS Code I made a small macOS app in SwiftUI that does the extraction when something is pasted.
It occurred to me that this would work for indicators of compromise (IoCs) — because why not add one more to the 5 billion of them on GitHub — and I forked my app, removed all the $WORK bits and added in some code to do just this, and unimaginatively dubbed it
extractor. Here’s the main view:
extractor handles identifying & extracting CIDRs, IPv4s, URLs, hostnames, and email addresses (file issues if you really want hashes, CVE strings or other types) either from:
- an input URL (it fetches the content and extracts IoCs from the rendered HTML, not the HTML source);
- items pasted into the textbox (more on some SwiftUI 2 foibles regarding that in a bit); and
- PDF, HTML, and text files (via
Here it is extracting IoCs from one of FireEye’s “solarwinds”-related posts:
If you tick the “Monitor Pasteboard” toggle, the app will monitor the all system-wide additions to the pasteboard, extract the IoCs from them and put them in the textbox. (I think I really need to make this additive to the text in the textbox vs replacing what’s there).
You can save the indicators out to a text file (via
⌘-s) or just copy them from the text box (if you want ndjson or some threat indicator sharing format file an issue).
That SwiftUI 2 Thing I Mentioned
SwiftUI 2 makes app-creation very straightforward, but it also still has many limitations. One of which is how windows/controls handle the “Paste” command. The glue code to make this app really work the way I’d like it to work is just annoying enough to have it on a TODO vs an ISDONE list and I’m hoping SwiftUI 3 comes out with WWDC 2021 (in a scant ~2 months) and provides a less hacky solution.
You can find the source and notarized binary releases of
extractor on GitHub. File issues for questions, feature requests, or problems with the app/code.
Because I used SwiftUI 2, it is very likely possible to have this app work on iOS and iPadOS devices. I can’t see anyone using an iPad for DFIR work, but if you’d like a version of this for iOS/iPadOS, also drop an issue.