Tools
Under Construction
This section lists various tools and platforms that enable pivoting. Every tool allows analysts to perform different types of pivots on different types of data, and analysts must usually utilize multiple tools in order to conduct full-scale investigations. This aspect of analysis can be observed in the comparison table below, which demonstrates that no single tool is sufficient for all types of pivots.
Overview
WHOIS | DNS Hist. | Hosts | Certs | URLs | Samples | Sandbox | Code Sim. | Code | Netflow | Enrich | |
---|---|---|---|---|---|---|---|---|---|---|---|
DNSChecker | |||||||||||
MXToolBox | |||||||||||
Whoxy | |||||||||||
SecurityTrails | |||||||||||
DomainTools | |||||||||||
RiskIQ | |||||||||||
Driftnet | |||||||||||
Silent Push | |||||||||||
Spamhaus | |||||||||||
ZETAlytics | |||||||||||
Validin | |||||||||||
Shodan | |||||||||||
Censys | |||||||||||
BinaryEdge | |||||||||||
FOFA | |||||||||||
Hunt.io | |||||||||||
ZoomEye | |||||||||||
crt.sh | |||||||||||
URLScan | |||||||||||
PublicWWW | |||||||||||
Internet Archive | |||||||||||
VirusTotal | |||||||||||
MalShare | |||||||||||
MalwareBazaar | |||||||||||
HybridAnalysis | |||||||||||
any.run | |||||||||||
ThreatFox | |||||||||||
Intezer Analyse | |||||||||||
GitHub Search | |||||||||||
Team Cymru | |||||||||||
Cortex | |||||||||||
Yeti | |||||||||||
IntelOwl | |||||||||||
Vertex Synapse | |||||||||||
Maltego |
Automation
Enrichment
Enrichment tools such as Yeti often serve a dual purpose of knowledge management and automatic querying of metadata about artifacts.
Certificate metadata
Registered certificates
Certificate transparency log aggregators such as crt.sh allow querying for metadata related to registered TLS certificates.
Observed certificates
Many host scanning tools provide certificate metadata sourced from the servers hosting them.
Source code scanners
Source code repositories such as GitHub allow querying for code snippets, which can be useful for identifying malware source code.
DNS data
WHOIS Lookup
[...]
DNS History / Passive DNS
[...]
Netflow aggregation
[...]
Host scanners
[...]
URL Scanners
[...]
Malware zoos
Sample repositories
[...]
Sandboxes
[...]
Code similarity scanners
[...]