{"id":13042,"date":"2021-04-25T06:20:21","date_gmt":"2021-04-25T11:20:21","guid":{"rendered":"https:\/\/rud.is\/b\/?p=13042"},"modified":"2021-04-26T06:04:34","modified_gmt":"2021-04-26T11:04:34","slug":"a-small-macos-big-sur-to-extract-indicators-of-compromise","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/","title":{"rendered":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise"},"content":{"rendered":"<p>There&#8217;s a semi-infrequent-but-frequent-enough-to-be-annoying manual task at $DAYJOB that involves extracting a particular set of strings (identifiable by a fairly benign set of regular expressions) from various <em>interactive<\/em> text sources (so, not static documents or documents easily scrape-able).<\/p>\n<p>Rather than hack something onto Sublime Text or VS Code I made a small macOS app in SwiftUI that does the extraction when something is pasted.<\/p>\n<p>It occurred to me that this would work for indicators of compromise (IoCs) \u2014 because why not add one more to the 5 billion of them on GitHub \u2014 and I forked my app, removed all the $WORK bits and added in some code to do just this, and unimaginatively dubbed it <code>extractor<\/code>. Here&#8217;s the main view:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"13043\" data-permalink=\"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/extractor-empty\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?fit=1638%2C1428&amp;ssl=1\" data-orig-size=\"1638,1428\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"extractor-empty\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?fit=510%2C445&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=510%2C445&#038;ssl=1\" alt=\"macOS GUI window showing the extractor main view\" width=\"510\" height=\"445\" class=\"aligncenter size-full wp-image-13043\" srcset=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?w=1638&amp;ssl=1 1638w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=300%2C262&amp;ssl=1 300w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=530%2C462&amp;ssl=1 530w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=150%2C131&amp;ssl=1 150w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=768%2C670&amp;ssl=1 768w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=1536%2C1339&amp;ssl=1 1536w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=500%2C436&amp;ssl=1 500w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=1200%2C1046&amp;ssl=1 1200w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=400%2C349&amp;ssl=1 400w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=800%2C697&amp;ssl=1 800w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?resize=200%2C174&amp;ssl=1 200w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?w=1020&amp;ssl=1 1020w\" sizes=\"auto, (max-width: 510px) 100vw, 510px\" \/><\/a><\/p>\n<p>For now, <code>extractor<\/code> handles identifying &amp; extracting CIDRs, IPv4s, URLs, hostnames, and email addresses (file issues if you really want hashes, CVE strings or other types) either from:<\/p>\n<ul>\n<li>an input URL (it fetches the content and extracts IoCs from the <em>rendered<\/em> HTML, not the HTML source);<\/li>\n<li>items pasted into the textbox (more on some SwiftUI 2 foibles regarding that in a bit); and<\/li>\n<li>PDF, HTML, and text files (via <code>Open<\/code> \/ <code>\u2318-o<\/code>)<\/li>\n<\/ul>\n<p>Here it is extracting IoCs from one of FireEye&#8217;s &#8220;solarwinds&#8221;-related posts:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"13045\" data-permalink=\"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/extractor-url\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?fit=1638%2C1428&amp;ssl=1\" data-orig-size=\"1638,1428\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"extractor-url\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?fit=510%2C445&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=510%2C445&#038;ssl=1\" alt=\"macOS GUI window showing extracted IoCs from a blog post\" width=\"510\" height=\"445\" class=\"aligncenter size-full wp-image-13045\" srcset=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?w=1638&amp;ssl=1 1638w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=300%2C262&amp;ssl=1 300w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=530%2C462&amp;ssl=1 530w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=150%2C131&amp;ssl=1 150w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=768%2C670&amp;ssl=1 768w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=1536%2C1339&amp;ssl=1 1536w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=500%2C436&amp;ssl=1 500w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=1200%2C1046&amp;ssl=1 1200w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=400%2C349&amp;ssl=1 400w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=800%2C697&amp;ssl=1 800w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?resize=200%2C174&amp;ssl=1 200w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-url.png?w=1020&amp;ssl=1 1020w\" sizes=\"auto, (max-width: 510px) 100vw, 510px\" \/><\/a><\/p>\n<p>If you tick the &#8220;Monitor Pasteboard&#8221; toggle, the app will monitor the <em>all system-wide additions to the pasteboard<\/em>, extract the IoCs from them and put them in the textbox. (I think I really need to make this additive to the text in the textbox vs replacing what&#8217;s there).<\/p>\n<p>You can save the indicators out to a text file (via <code>Save<\/code> \/ <code>\u2318-s<\/code>) or just copy them from the text box (if you want ndjson or some threat indicator sharing format file an issue).<\/p>\n<h3>That SwiftUI 2 Thing I Mentioned<\/h3>\n<p>SwiftUI 2 makes app-creation very straightforward, but it also still has many limitations. One of which is how windows\/controls handle the &#8220;Paste&#8221; command. The glue code to make this app really work the way I&#8217;d like it to work is just annoying enough to have it on a TODO vs an ISDONE list and I&#8217;m hoping SwiftUI 3 comes out with WWDC 2021 (in a scant ~2 months) and provides a less hacky solution.<\/p>\n<h3>FIN<\/h3>\n<p>You can find the source and notarized binary releases of <code>extractor<\/code> <a href=\"https:\/\/github.com\/hrbrmstr\/extractor\">on GitHub<\/a>. File issues for questions, feature requests, or problems with the app\/code.<\/p>\n<p>Because I used SwiftUI 2, it is very likely possible to have this app work on iOS and iPadOS devices. I can&#8217;t see anyone using an iPad for DFIR work, but if you&#8217;d like a version of this for iOS\/iPadOS, also drop an issue.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s a semi-infrequent-but-frequent-enough-to-be-annoying manual task at $DAYJOB that involves extracting a particular set of strings (identifiable by a fairly benign set of regular expressions) from various interactive text sources (so, not static documents or documents easily scrape-able). Rather than hack something onto Sublime Text or VS Code I made a small macOS app in SwiftUI [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[3,780,830],"tags":[],"class_list":["post-13042","post","type-post","status-publish","format-standard","hentry","category-information-security","category-macos","category-swift"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is\" \/>\n<meta property=\"og:description\" content=\"There&#8217;s a semi-infrequent-but-frequent-enough-to-be-annoying manual task at $DAYJOB that involves extracting a particular set of strings (identifiable by a fairly benign set of regular expressions) from various interactive text sources (so, not static documents or documents easily scrape-able). Rather than hack something onto Sublime Text or VS Code I made a small macOS app in SwiftUI [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-25T11:20:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-26T11:04:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"A Small macOS (Big Sur+) App to Extract Indicators of Compromise\",\"datePublished\":\"2021-04-25T11:20:21+00:00\",\"dateModified\":\"2021-04-26T11:04:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/\"},\"wordCount\":440,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/extractor-empty.png\",\"articleSection\":[\"Information Security\",\"macOS\",\"Swift\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/\",\"name\":\"A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/extractor-empty.png\",\"datePublished\":\"2021-04-25T11:20:21+00:00\",\"dateModified\":\"2021-04-26T11:04:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/extractor-empty.png?fit=1638%2C1428&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/extractor-empty.png?fit=1638%2C1428&ssl=1\",\"width\":1638,\"height\":1428,\"caption\":\"macOS GUI window showing the extractor main view\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/04\\\/25\\\/a-small-macos-big-sur-to-extract-indicators-of-compromise\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Small macOS (Big Sur+) App to Extract Indicators of Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/","og_locale":"en_US","og_type":"article","og_title":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is","og_description":"There&#8217;s a semi-infrequent-but-frequent-enough-to-be-annoying manual task at $DAYJOB that involves extracting a particular set of strings (identifiable by a fairly benign set of regular expressions) from various interactive text sources (so, not static documents or documents easily scrape-able). Rather than hack something onto Sublime Text or VS Code I made a small macOS app in SwiftUI [&hellip;]","og_url":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/","og_site_name":"rud.is","article_published_time":"2021-04-25T11:20:21+00:00","article_modified_time":"2021-04-26T11:04:34+00:00","og_image":[{"url":"https:\/\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png","type":"","width":"","height":""}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise","datePublished":"2021-04-25T11:20:21+00:00","dateModified":"2021-04-26T11:04:34+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/"},"wordCount":440,"commentCount":0,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png","articleSection":["Information Security","macOS","Swift"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/","url":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/","name":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png","datePublished":"2021-04-25T11:20:21+00:00","dateModified":"2021-04-26T11:04:34+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?fit=1638%2C1428&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/04\/extractor-empty.png?fit=1638%2C1428&ssl=1","width":1638,"height":1428,"caption":"macOS GUI window showing the extractor main view"},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2021\/04\/25\/a-small-macos-big-sur-to-extract-indicators-of-compromise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"A Small macOS (Big Sur+) App to Extract Indicators of Compromise"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-3om","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":12878,"url":"https:\/\/rud.is\/b\/2021\/01\/16\/new-swiftr-chapter-up-building-an-r-backed-swiftui-macos-app\/","url_meta":{"origin":13042,"position":0},"title":"New SwiftR Chapter Up: Building an R-backed SwiftUI macOS App","author":"hrbrmstr","date":"2021-01-16","format":false,"excerpt":"Last week I introduced a new bookdown series on how to embed R into a macOS Swift application. The initial chapters focused on core concepts and showed how to build a macOS compiled, binary command line application that uses embedded R for some functionality. This week, a new chapter is\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/rud.is\/b\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6154,"url":"https:\/\/rud.is\/b\/2017\/08\/13\/r%e2%81%b6-exploring-macos-applications-with-codesign-gatekeeper-r\/","url_meta":{"origin":13042,"position":1},"title":"R\u2076 \u2014 Exploring macOS Applications with codesign, Gatekeeper &#038; R","author":"hrbrmstr","date":"2017-08-13","format":false,"excerpt":"(General reminder abt \"R\u2076\" posts in that they are heavy on code-examples, minimal on expository. I try to design them with 2-3 \"nuggets\" embedded for those who take the time to walk through the code examples on their systems. I'll always provide further expository if requested in a comment, so\u2026","rel":"","context":"In &quot;macOS&quot;","block_context":{"text":"macOS","link":"https:\/\/rud.is\/b\/category\/macos\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":10991,"url":"https:\/\/rud.is\/b\/2018\/07\/06\/visualizing-macos-app-usage\/","url_meta":{"origin":13042,"position":2},"title":"Visualizing macOS App Usage with a Little Help from osqueryr &#038; mactheknife","author":"hrbrmstr","date":"2018-07-06","format":false,"excerpt":"Both my osqueryr and macthekinfe packages have had a few updates and I wanted to put together a fun example (it being Friday, and all) for what you can do with them. All my packages are now on GitHub and GitLab and I'll be maintaining them on both so I\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/07\/app-lod-tree-1.png?fit=1200%2C1197&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/07\/app-lod-tree-1.png?fit=1200%2C1197&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/07\/app-lod-tree-1.png?fit=1200%2C1197&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/07\/app-lod-tree-1.png?fit=1200%2C1197&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/07\/app-lod-tree-1.png?fit=1200%2C1197&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":12185,"url":"https:\/\/rud.is\/b\/2019\/05\/12\/quick-hit-updates-to-quicklookr-and-rdatainfo\/","url_meta":{"origin":13042,"position":3},"title":"Quick Hit: Updates to QuickLookR and {rdatainfo}","author":"hrbrmstr","date":"2019-05-12","format":false,"excerpt":"I'm using GitUgh links here b\/c the issue was submitted there. Those not wishing to be surveilled by Microsoft can find the macOS QuickLook plugin project and {rdatainfo} project in SourceHut and GitLab (~hrbrmstr and hrbrmstr accounts respectively). I hadn't touched QuickLookR? or {rdatainfo}? at all since 2016 since it\u2026","rel":"","context":"In &quot;macOS&quot;","block_context":{"text":"macOS","link":"https:\/\/rud.is\/b\/category\/macos\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12438,"url":"https:\/\/rud.is\/b\/2019\/08\/22\/quick-hit-a-new-64-bit-swift-5-rswitch-app\/","url_meta":{"origin":13042,"position":4},"title":"Quick Hit: A new 64-bit Swift 5 RSwitch App","author":"hrbrmstr","date":"2019-08-22","format":false,"excerpt":"At the bottom of the R for macOS Developer's Page there's mention of an \"other binary\" called \"RSwitch\" that is \"a small GUI that allows you to switch between R versions quickly (if you have multiple versions of R framework installed).\" Said switching requires you to use the \"tar.gz\" versions\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/rud.is\/b\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12645,"url":"https:\/\/rud.is\/b\/2020\/02\/06\/prying-r-script-files-away-from-xcode-et-al-on-macos\/","url_meta":{"origin":13042,"position":5},"title":"Prying &#8220;.R&#8221; Script Files Away from Xcode (et al) on macOS","author":"hrbrmstr","date":"2020-02-06","format":false,"excerpt":"As the maintainer of RSwitch --- and developer of my own (for personal use) macOS, iOS, watchOS, iPadOS and tvOS apps --- I need the full Apple Xcode install around (more R-focused macOS folk can get away with just the command-line tools being installed). As an Apple Developer who insanely\u2026","rel":"","context":"In &quot;macOS&quot;","block_context":{"text":"macOS","link":"https:\/\/rud.is\/b\/category\/macos\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/13042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=13042"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/13042\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=13042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=13042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=13042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}