About

Introduction

Welcome to Pivot Atlas, a pivoting handbook for cyber threat intelligence analysts, containing simple reference material for how to make the best use of various threat activity observables, such as IP addresses and file hashes.

This website aims to map the pivotability of every type of artifact that analysts might encounter in the course of their investigations:

"While investigating threat activity, I found ...what can I do with it?"

— You, probably.

For any given observable, analysts can use this handbook to figure out what steps they should take to reveal potentially related malicious infrastructure or tooling. Every listed pivoting method can be performed using one or more tools (depending on preference or which platforms you have access to), and query examples are provided for the most commonly used tools.

Diagrams are also included for easy and clickable navigation between artifact types, as in the following example or in the full map (the diagram may take a few seconds to load in your browser if you're visiting this website for the first time):

Pivot Map

flowchart LR
    classDef secondary stroke-dasharray: 5 5

    %% define nodes
    IP_ADDRESS(IP Address)
    IP_ADDRESS_(IP Address):::secondary
    DOMAIN(Domain)
    SERVER(Server)
    SAMPLE(Sample)
    USER_AGENT(User Agent)

    %% define edges
    DOMAIN -- resolves --> IP_ADDRESS
    IP_ADDRESS -- rDNS --> DOMAIN
    IP_ADDRESS -- prev. resolved --> DOMAIN
    IP_ADDRESS <-- ASN --> IP_ADDRESS_
    IP_ADDRESS -- uses --> USER_AGENT
    IP_ADDRESS <-- Netflow --> IP_ADDRESS_
    IP_ADDRESS <-- WHOIS --> IP_ADDRESS_
    SERVER -- hosted by --> IP_ADDRESS
    SAMPLE -- references --> IP_ADDRESS

    %% define links
    click IP_ADDRESS "/artifacts/ip-address"
    click DOMAIN "/artifacts/domain"
    click SERVER "/artifacts/server"
    click SAMPLE "/artifacts/sample"
    click USER_AGENT "/artifacts/user-agent"

This project is a work in progress, but in time it might serve as a comprehensive guide to pivoting. If you would like to learn more about pivoting and cyber threat intelligence, please check out the references listed at the end of this page. If you would like to contribute content to this project, please feel free to reach out on Twitter or submit a pull request here.

Frequently asked questions (FAQ)

How should I use Pivot Atlas?

To learn about recommended pivots for a given type of artifact, check out the Artifacts section.
To learn about useful artifact fingerprints, take a look at the Fingerprints section.
To learn about various tools of the trade, head on over to the Tools section.

What's the best way to contribute to this project?

You are welcome to submit information about publicly known examples of investigations demonstrating novel or creative pivots (or anything else you've noticed may be missing from this website). You can also review the "Future plans" section of this blogpost for ideas on areas that require expansion or improvement. To contribute, you can either submit a pull request yourself or simply add an issue to the GitHub project (pull requests are preferred but issues are welcome).

Where can I learn more about pivoting?

If you'd like to learn more about pivoting in cyber threat intelligence, be sure to check out the following resources:

Where can I learn more about offensive cyber operations?

If you'd like to learn more about how threat actors operate, the following books are an excellent place to start:

Network Attacks and Exploitation: A Framework by Matthew Monte
Attribution of Advanced Persistent Threats by Timo Steffens