Glossary

Commonly used terms and their definitions.

Artifact
Used throughout ThreatIngestor to describe a single, specific piece of Threat Intelligence, such as a domain or file hash.
C2
Also known as “C&C” or “Command and Control,” C2 domains and IP addresses are a form of IOC that describe the infrastructure of a malicious actor. Malware typically “phones home” to these C2s in order to exfiltrate information or receive commands from the malicious actor.
Defanged
An IOC that has been modified in some way to prevent accidental exposure to malicious content, or to avoid being marked as malicious by an antivirus or other security system. Analysts oftem “defang” IOCs before sharing them publicly. Common defangs include replacing “http” with “hxxp”, or “.” with “[.]” to disable links, e.g.: http://example[.]com.
IOC
Indicator of Compromise: a piece of information that shows evidence of a malicious actor, such as a file hash for a piece of malware, or a domain used as a C2. See also Threat Intelligence.
OSINT
Open Source Intelligence: publicly available information used in an intelligence context; see also Threat Intelligence.
Threat Intelligence
Information that describes the capabilities, characteristics, infrastructure, etc of a given “threat,” usually malicious software or malicious actors. This can include C2 domains and IP addresses, SSL certificates, YARA rules, file hashes, and more.
YARA
A tool used widely by malware analysts to identify and classify malware. See virustotal.github.io/yara/. YARA “rules” are often shared between analysts to help others detect a certain piece of malware.