IOCs are artifacts left by attackers. Use these to hunt in your SIEM or block at your firewall.
| Type | Value | Threat | Confidence |
|---|---|---|---|
| IP | 185.220.101.45 | Tor Exit Node / Brute Force | High |
| IP | 203.0.113.99 | Webshell Upload Source | High |
| Domain | update-cdn.winhelper.net | Malware C2 Domain | High |
| Hash (MD5) | 5d41402abc4b2a76b9719d911017c592 | Known RAT dropper | Medium |
| User-Agent | python-requests/2.28.0 | Automated attack tool | Low |
| User-Agent | Nikto/2.1.6 | Web vulnerability scanner | High |
| URL Pattern | /uploads/*.php | Webshell access | High |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHelper | Malware persistence | Medium |
# IOC sharing platforms:
# MISP — open source threat intel platform
# OpenCTI — structured threat intelligence
# VirusTotal — hash/IP/domain lookup
# AbuseIPDB — IP reputation database
# URLhaus — malicious URL database
# OTX (AlienVault) — community threat intel
# Automate IOC blocking with MISP + firewall integration:
curl https://www.abuseipdb.com/api/v2/blacklist | jq '.data[].ipAddress' | xargs -I{} iptables -A INPUT -s {} -j DROP