This reduces the noise and allows an analyst to fine tune their results before diving in further. This can easily be accomplished through the existing PassiveTotal Maltego transforms by chaining together lookups however, SpiderMal also includes the ability to filter results based on a temporal range so that only domains or IPs seen within a specified date range are included in the graph. It then recursively crawls from the seeded entity out to a specified level, building out the diagram. At its core, it uses the PassiveTotal API to connect domain nodes to IP address nodes, and vice versa with their pDNS data. Specifically, SpiderMal is a Python script that can be run from the CLI or, alternatively, pointed to by a Maltego Local Transform. Given this, and with a yearning to have more control over the graphing process, we created a new script to facilitate automating the initial building of Maltego graphs using passive DNS (pDNS) data from PassiveTotal. This has historically been a very manual process and often leads to a dead end, as a lot of threat actors commonly take over legitimate systems to carry out campaigns. One of the most basic forms of telemetry used to research a threat is the classic IP address/domain record pair, to which the Maltego platform provides an excellent interface to graph these pairs so that interesting links or clusters standout for further analysis. This technique forms a more holistic picture of a threat. UsingtransformsettingsinTRX.Ĭonclusion.Įntityreference.V/VConfusion.Calculatedproperties.)nheritance.WhyarewestuckwithVproperties?.). investigative technique for threat analysis involves pulling information from disparate data sources to start piecing together breadcrumbs of data. Readingproperties.Īddingdynamicproperties. Staticvs.dynamicproperties.Īquicknoteonentitydesign.Ĭalculatedproperties. Linkproperties,bookmarksandnotes.Įntityproperties. TableofContents)ntroductionwhyusetheTDS?.WhatisTRX?.)nternal/.Developmentenvironments.P(P.Python.PreppingaserverforusewiththeTDSPython.)nstallApache.)nstallmod_wsgi.)nstallbottle.Copy&extractTRXfiles.EditApacheconfiguration.))P.bugTRX_Server.py.Transformlibrarye.g.DNSTRANSFORMS.py. TRXWritingPythontransforms(forusewiththeTDS)RT
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |