Listen to this Post
Introduction:
Threat Intelligence has evolved beyond simple Indicators of Compromise (IOC) feeds into a sophisticated discipline centered on contextual analysis. Modern security teams now prioritize understanding adversary tactics, techniques, and procedures (TTPs) rather than just chasing isolated malicious indicators. This shift enables proactive defense by focusing on the “why” and “how” behind attacks rather than just the “what.”
Learning Objectives:
- Understand the limitations of traditional IOC-based threat intelligence
- Learn practical commands for extracting contextual threat data
- Implement tools and techniques for behavioral analysis and campaign tracking
- Develop processes for correlating disparate security events
- Build automated systems for context enrichment
You Should Know:
1. Moving Beyond Basic IOC Collection
Verified Linux commands for threat data collection:
Query ThreatFox API for IOCs with context
curl -X POST https://threatfox-api.abuse.ch/api/v1/ --data '{"query":"get_iocs","days":7}' | jq '.data[] | select(.malware=="QakBot")'
Extract and analyze DNS queries from pcap with context
tshark -r capture.pcap -T fields -e dns.qry.name | sort | uniq -c | sort -nr | head -20
Cross-reference IPs with multiple threat intelligence sources
for ip in $(cat suspicious_ips.txt); do
echo "Checking $ip";
whois $ip | grep -i "country|netname";
curl -s "https://otx.alienvault.com/api/v1/indicators/IPv4/$ip/general" | jq '.pulse_info.count';
done
Step-by-step guide: These commands demonstrate the evolution from simple IOC checking to contextual analysis. The ThreatFox query retrieves IOCs specifically associated with QakBot campaigns, providing immediate context about the threat actor. The DNS analysis helps identify patterns in communication, while the bulk IP checking script enriches basic indicators with geographical and reputation data, transforming raw IOCs into actionable intelligence.
2. Contextual Enrichment with YARA Rules
rule APT29_CozyBear_Backdoor {
meta:
description = "Detects COZYBEAR related backdoor activity"
author = "ThreatIntel Team"
date = "2023-10-15"
threat_actor = "APT29"
campaign = "Operation Ghost"
confidence = "high"
strings:
$s1 = "rundll32.exe" nocase
$s2 = "scvhost.exe" nocase
$s3 = "/c choice /c Y /N /D Y /t 1 & " wide
$mz = { 4D 5A }
condition:
$mz at 0 and
(
( all of ($s) ) or
( s1 > 2 and s2 > 1 )
)
}
Step-by-step guide: This YARA rule exemplifies context-driven detection by embedding threat actor attribution (APT29) and campaign information (Operation Ghost) directly within the detection logic. Unlike simple hash-based IOCs, this rule looks for behavioral patterns and file characteristics that persist across different malware variants used by the same threat actor, enabling detection of new tools in the same campaign.
3. Behavioral Analysis with EDR Commands
Hunt for lateral movement using WMI
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; ID=5861} |
Where-Object {$<em>.Message -like "172."} |
Select-Object TimeCreated, @{Name="SourceIP";Expression={$</em>.Properties[bash].Value}}
Detect process hollowing patterns
pslist.exe -s | findstr /i "explorer.svchost|svchost.explorer"
Analyze command line arguments for suspicious patterns
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object {$_.Message -match "encodedcommand|hidden|windowstyle"} |
Select-Object TimeCreated, Id, Message
Step-by-step guide: These commands focus on detecting adversary behaviors rather than static indicators. The WMI query identifies lateral movement patterns, the process listing detects injection techniques, and the PowerShell monitoring catches obfuscation attempts. This approach remains effective even as attackers change their tools and infrastructure.
4. Campaign Correlation with SIEM Queries
Splunk query for correlating related events
index=security (sourcetype="stream:http" OR sourcetype="stream:dns")
| stats values(dest_ip) as Target_IPs, values(src_ip) as Source_IPs,
values(user_agent) as User_Agents, count by src_country, dest_country
| where count > 10
| sort - count
Elasticsearch query for time-based correlation
GET /security-events-/_search
{
"query": {
"bool": {
"must": [
{ "range": { "@timestamp": { "gte": "now-1h" } } },
{ "terms": { "event.action": ["process_create", "network_connection"] } }
],
"filter": {
"script": {
"script": {
"source": "doc['user.name'].value == doc['process.parent.user.name'].value"
}
}
}
}
}
}
Step-by-step guide: These SIEM queries demonstrate how to move from isolated event analysis to campaign detection. The Splunk query correlates multiple connection attempts across different protocols and geographies, while the Elasticsearch query identifies process creation patterns that might indicate automated attack tools. Both approaches help identify coordinated activities rather than individual malicious events.
5. Threat Actor Attribution through Infrastructure Analysis
Analyze SSL certificates for infrastructure clustering openssl s_client -connect suspicious-domain.com:443 2>/dev/null | openssl x509 -noout -subject -issuer -dates Passive DNS replication for tracking infrastructure changes pdns_analyze.py -d malicious-domain.com -r 172.16.1.53 -k pdns_api_key ASN and netblock analysis for attribution whois -h whois.radb.net 192.0.2.1 | grep -i "origin|netname|descr" curl -s "https://api.bgpview.io/ip/192.0.2.1" | jq '.data.rir_allocation'
Step-by-step guide: These commands help build context around malicious infrastructure by analyzing technical artifacts that persist across different campaigns. SSL certificate analysis can reveal connections between seemingly unrelated domains, passive DNS tracking shows historical infrastructure changes, and ASN analysis helps identify hosting patterns characteristic of specific threat actors.
6. Automated Context Enrichment with Python
import requests
import json
from datetime import datetime
def enrich_ioc(ioc_value, ioc_type):
"""Enrich IOC with multiple threat intelligence sources"""
context = {'original_ioc': ioc_value, 'type': ioc_type}
Check VirusTotal
vt_url = f"https://www.virustotal.com/api/v3/search?query={ioc_value}"
vt_headers = {"x-apikey": "YOUR_VT_API_KEY"}
vt_response = requests.get(vt_url, headers=vt_headers)
if vt_response.status_code == 200:
vt_data = vt_response.json()
context['virustotal'] = {
'malicious': vt_data['data'][bash]['attributes']['last_analysis_stats']['malicious'],
'reputation': vt_data['data'][bash]['attributes']['reputation']
}
Check AlienVault OTX
otx_url = f"https://otx.alienvault.com/api/v1/indicators/{ioc_type}/{ioc_value}/general"
otx_response = requests.get(otx_url)
if otx_response.status_code == 200:
otx_data = otx_response.json()
context['pulse_count'] = otx_data['pulse_info']['count']
context['related_indicators'] = otx_data['pulse_info']['related_indicator_count']
return context
Usage example
enriched_data = enrich_ioc("malicious-domain.com", "domain")
print(json.dumps(enriched_data, indent=2))
Step-by-step guide: This Python script automates the process of gathering contextual information about IOCs from multiple threat intelligence sources. By combining data from VirusTotal (file reputation) and AlienVault OTX (campaign context), security analysts can quickly determine if an indicator is part of a known campaign and assess its severity based on multiple sources rather than single-point detections.
7. MITRE ATT&CK Mapping for Tactical Context
Map detected activity to MITRE ATT&CK framework
T1055 - Process Injection detection
grep -r "WriteProcessMemory|CreateRemoteThread" /var/log/edr/ |
awk -F: '{print $1}' | sort | uniq
T1566 - Phishing detection patterns
zegrep "Subject:.(urgent|action required|invoice)" /var/log/mail.log |
wc -l
T1027 - Obfuscated Files or Information
strings malicious_file.exe | grep -E "^[A-Za-z0-9+/]{20,}={0,2}$" |
head -5
Step-by-step guide: These commands help map detected activities to the MITRE ATT&CK framework, providing crucial context about adversary tactics. By categorizing detections according to this standardized framework, security teams can better understand the overall attack pattern, prioritize responses based on the attack phase, and implement appropriate countermeasures for each technique.
What Undercode Say:
- Context is the new currency in threat intelligence – raw IOCs have become commodities
- Behavioral detection outlasts indicator-based blocking as adversaries rapidly evolve
- The most effective security programs focus on understanding adversary campaigns rather than chasing individual indicators
The transition from IOC-focused to context-driven threat intelligence represents a fundamental maturation of cybersecurity practices. Organizations that continue to rely primarily on IOC feeds will find themselves in a perpetual cycle of reactive defense, while those investing in contextual analysis and behavioral understanding will develop predictive capabilities. The technical commands and methodologies outlined demonstrate that modern threat intelligence requires correlating multiple data sources, understanding adversary behavior patterns, and maintaining historical context about campaigns and threat actors. This approach ultimately enables security teams to anticipate attacks rather than just respond to them.
Prediction:
Within three years, AI-powered contextual analysis will become the standard for threat intelligence, with automated systems correlating IOCs with behavioral patterns, campaign history, and threat actor profiling to predict attack vectors before they’re exploited. Organizations that fail to adopt context-driven approaches will experience 50% more successful breaches due to the increasing sophistication of adversary evasion techniques and the decreasing lifespan of individual IOCs.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Adrien Girard – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
