What is the purpose of CTIE?

CTIE is used to quickly extract Indicators of Compromise (IoC) from multiple documents and consolidate the results into a file that can be imported in network defense appliances or as appendices to reports.

What type of indicators does CTIE look for?

  • MD5, SHA1 and SHA256 hashes;
  • IPv4 and IPv6 addresses;
  • URLs;
  • Email addresses;
  • Registry keys;

The unlimited version of CTIE can also extract:

  • CARO-named malware names; and
  • CVE references numbers.

And you can define your own extraction rules as well to get additional indicators.

What kind of files can be read by CTIE?

CTIE can read the most common file formats used for reports, more precisely, CTIE can read the following files:

  • Microsoft Word; .doc, .docx;
  • Microsoft Excel; .xls, .xlsx;
  • Microsoft PowerPoint; .ppt, .pptx;
  • Portable Document Format; .pdf;
  • Webpages; .htm, .html;
  • Plain text files; .txt
  • Rich Text Format; .rtf
  • Comma-Separated Values (CSV) format; .csv


CTIE should be able to read and extract indicators from any text file, but may not be able to parse its structure. For example, CTIE will be able to read XML files, but not parse it. Just rename the file to a .txt file to import it in the application.