Skip to content

Map

The following Mermaid diagram shows all possible pivots between various artifact types, as detailed in other smaller diagrams found throughout this website. A short explanation of how to read this map is available here (detailing the meaning of dotted lines, dashed borders, and other design choices). Note that the list of pivots and artifacts displayed here isn't conclusive, and will grow and change as more content is added to this website. The diagram may take a few seconds to load in your browser if you're visiting for the first time.

flowchart LR
    classDef secondary stroke-dasharray: 5 5

    %% define nodes
    CODE([Code])
    DOMAIN(Domain)
    DOMAIN_(Domain):::secondary
    IP_ADDRESS(IP Address)
    IP_ADDRESS_(IP Address):::secondary
    SAMPLE(Sample)
    SAMPLE_(Sample):::secondary
    SERVER([Server / Client])
    SERVER_([Server / Client]):::secondary
    USER_AGENT(User Agent)
    USER_AGENT_(User Agent):::secondary
    TLS_CERT(TLS Certificate)
    TLS_CERT_(TLS Certificate):::secondary

    %% define edges
    DOMAIN -- forward DNS ---> IP_ADDRESS
    DOMAIN <-- DNS history ---> IP_ADDRESS
    DOMAIN <-- NS ---> DOMAIN_
    DOMAIN <-- reg. time ---> DOMAIN_
    DOMAIN <-- registrant ---> DOMAIN_
    DOMAIN <-- registrar ---> DOMAIN_
    DOMAIN <-- similar name ---> DOMAIN_
    DOMAIN <-- TLD ---> DOMAIN_
    DOMAIN <-- URL path ---> DOMAIN_
    TLS_CERT -- CN  ---> DOMAIN
    TLS_CERT -- served by  --> SERVER
    TLS_CERT_ <-- CA  --> TLS_CERT
    TLS_CERT_ <-- CN  --> TLS_CERT
    TLS_CERT_ <-- subject  --> TLS_CERT
    TLS_CERT_ <-- time ---> TLS_CERT
    IP_ADDRESS -- reverse DNS  ---> DOMAIN
    IP_ADDRESS -. hosts ..-> SERVER
    IP_ADDRESS <-- ASN ---> IP_ADDRESS_
    IP_ADDRESS <-- traffic ---> IP_ADDRESS_
    IP_ADDRESS <-- ports ---> IP_ADDRESS_
    IP_ADDRESS <-- WHOIS details  ---> IP_ADDRESS_
    IP_ADDRESS <-- WHOIS history  ---> IP_ADDRESS_
    USER_AGENT <-- similar  --> USER_AGENT_
    SERVER -- identifies as ---> USER_AGENT
    SERVER -- stores --> SAMPLE
    SERVER <-- banner  ---> SERVER_
    SERVER <-- content ---> SERVER_
    SERVER <-- favicon ---> SERVER_
    SERVER <-- fingerprint ---> SERVER_
    SERVER <-- URL path ---> SERVER_
    SERVER -- identifies as --> USER_AGENT
    SAMPLE_ <-- behavior ---> SAMPLE
    SAMPLE_ <-- code similarity ---> SAMPLE
    SAMPLE -- communicates --> SERVER
    SAMPLE -- connects --> SERVER
    SAMPLE_ <-- hash  ---> SAMPLE
    SAMPLE -- identifies as ---> USER_AGENT
    SAMPLE -- queries ---> DOMAIN
    SAMPLE -- references  ---> DOMAIN
    SAMPLE -- references ---> IP_ADDRESS
    SAMPLE -- references --> USER_AGENT
    CODE -. compiles to ..-> SAMPLE

    %% define links
    click DOMAIN "/artifacts/domain/"
    click IP_ADDRESS "/artifacts/ip-address/"
    click SAMPLE "/artifacts/sample/"
    click TLS_CERT "/artifacts/tls-certificate/"
    click USER_AGENT "/artifacts/user-agent/"