🔍 Supported IoCs (Indicators of Compromise)

Chrome Extension Detection Test Page

📋 About This Test Page

This page contains a comprehensive list of various Indicator of Compromise (IoC) types. The Larvitar Chrome Extension should detect and highlight these selectors on the page. When you hover over or click on a detected selector, a menu should appear allowing you to analyze it using different AI agents.

Currently Supported Types:

IPv4 addresses
IPv6 addresses
Domain names
Email addresses
File hashes (MD5, SHA1, SHA256)
URLs

Potential Future Types:

ASN (Autonomous System Numbers)
Bitcoin addresses
CVE numbers
Ethereum addresses
Google AdSense Publisher IDs
Google Analytics Tracker IDs

🧪 How to Test

Make sure the Larvitar Chrome Extension is installed and enabled
Ensure "Selector Detection" is enabled in the extension settings (click the extension icon)
Reload this page
Look for highlighted selectors in the table below (they should have a yellow background)
Click on any highlighted selector to see the AI agent submenu with three options:
- 🔍 Search - Fast OSINT (Passive) <1 minute
- 🛡️ Thinking - Extended Thinking (Active) <5 minutes
- 🔬 Research - Deep Research (Active) <2 hours
Select an agent and verify the request is sent to the FastAPI backend
Check the backend logs or API at http://localhost:8000/docs

Name	Description	Example
IP (IPv4)	IPv4 address	8.8.8.8
IP (IPv6)	IPv6 address	::1
Domain	Domain name	github.com
Email	Email address	test@test.com
Hash (MD5)	MD5 hash (32 characters)	5d41402abc4b2a76b9719d911017c592
Hash (SHA1)	SHA1 hash (40 characters)	aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
Hash (SHA256)	SHA256 hash (64 characters)	44d88612fea8a8f36de82e1278abb02f44d88612fea8a8f36de82e1278abb02f
URL	Full URL with protocol	https://github.com
ASN	Autonomous System Number	AS13335
BTC	Bitcoin address	1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
CVE	Common Vulnerabilities and Exposures ID	CVE-2018-11776
ETH	Ethereum address	0x32be343b94f860124dc4fee278fdcbd38c102d88
GaPubID	Google AdSense Publisher ID	pub-9383614236930773
GaTrackID	Google Analytics Tracker ID	UA-67609351-1

🎯 Real-World Scenarios

These scenarios contain multiple IoC types mixed together, simulating real incident reports:

Scenario 1: Phishing Campaign

Security team detected a phishing campaign originating from malicious-sender.com. The attacker's email phishing@badactor.net was sending messages with links to http://evil-phishing-site.tk/login.php hosted on IP 185.220.101.50. The malicious payload hash was 9b74c9897bac770ffc029102a200c5de.

Scenario 2: Malware Distribution

A malware sample was downloaded from https://malware-distribution.xyz/payload.exe (SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f) and communicated with C2 server at 203.0.113.42. DNS requests showed connections to c2-server.onion and suspicious-domain.tk. Contact email found in binary: admin@criminal-network.org.

Scenario 3: Cryptocurrency Theft

Attackers compromised a website and injected JavaScript that redirects cryptocurrency payments. Original Bitcoin address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa was replaced with attacker's address. The malicious script was loaded from https://cryptojacker.com/inject.js (MD5: 5d41402abc4b2a76b9719d911017c592) hosted on 198.51.100.14. Ethereum address also compromised: 0x32be343b94f860124dc4fee278fdcbd38c102d88.

Scenario 4: APT Infrastructure

Advanced persistent threat (APT) infrastructure identified: Primary C2 domain apt-c2-server.com (IP: 192.0.2.45) with backup at 2001:db8::1. Exfiltration to data-exfil.net via HTTPS. Associated ASN AS13335 and AS15169. Contact emails: ops@apt-group.net and backup@apt-infrastructure.org. Infrastructure uses Google Analytics tracking: UA-67609351-1 for victim profiling.

Scenario 5: Vulnerability Exploitation

Exploitation attempt detected for CVE-2018-11776 (Apache Struts vulnerability). Attack originated from 45.142.212.61 (AS198953) targeting vulnerable-server.example.com. Exploit payload available at https://exploit-db.com/exploits/45260 with hash aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d. Post-exploitation, attacker established connection to exfil-server.onion and 10.20.30.40 (internal network).

Scenario 6: Mixed IoC Collection

Comprehensive incident involving multiple indicators: Domains (attacker-panel.com, command-control.net, malware-repo.org), IPs (172.16.254.1, 8.8.8.8, 1.1.1.1), emails (contact@threat-actor.com, admin@malicious-infra.net), URLs (https://pastebin.com/malicious-config, http://textbin.net/raw/payload), and hashes (SHA1: 356a192b7913b04c54574d18c28d46e6395428ab, MD5: 098f6bcd4621d373cade4e832627b4f6). Google AdSense ID pub-9383614236930773 found in attacker's phishing pages.

🔌 API Integration

When you select an AI agent for a detected selector, the Chrome extension sends a request to the FastAPI backend:

POST http://localhost:8000/api/chrome-extension/selector-search

Payload:
{
  "investigation_id": "uuid",
  "selector_type": "ipv4|domain|email|hash|url",
  "selector_value": "actual value",
  "agent_type": "osint|threat-intel|forensics",
  "page_url": "current page URL",
  "page_title": "current page title"
}

You can verify the API is working by checking:

FastAPI docs: http://localhost:8000/docs
Backend console logs for incoming requests
RabbitMQ management UI: http://localhost:15672 (guest/guest)
Hunter frontend: http://localhost:3000/selector-searches