Skip to content

Hello World

Welcome to Pivot Atlas, a cyber threat intel pivoting handbook developed by Amitai Cohen. Please check out the main page to learn more.

This website is a work in progress, but it's reached the point where I feel ready to share it with others. I would very much appreciate any feedback on the implementation, structure and content. Feel free to DM me on Twitter if you'd like to chat about it, or simply create an issue in the GitHub project to submit ideas or special requests.

Pivot Atlas is built using Martin Donath's wonderful Material for MKDocs, and its design is inspired by Nick Frichette's Hacking the Cloud project, MITRE's D3FEND matrix, Joe Slowik's body of work on the science of pivoting, and John Lambert's evergreen encouragement for defenders to think in graphs.

UPDATE (2024-06-17): Special thanks to Noah McDonald, Rami McCarthy, Danielle Aminov and others for providing valuable early feedback to this project. Following their advice, I've made a few small structural changes, added more content, and also fixed several broken links.

Current status:

- Artifact section lists most basic pivots.
- Artifact section includes high-level descriptions of listed pivots.
- Artifact section includes explanations and descriptions of malicious usecases.
- Artifact section includes some real-world historic examples for certain pivots.
- Artifact section includes some "minimaps" for pivots showing detailed analysis flow.
- Artifact section includes some URL and API examples for certain pivots.
- Fingerprints page includes high-level descriptions of each fingerprint type.
- Map page includes full map of pivots mentioned elsewhere on the website.
- Impact page describes how to operationalize information about newly uncovered malicious infrastructure.
- Tips page provides guidelines on how to make the most of pivoting.
- Tool page includes high-level descriptions of each tool type.
- Tool page includes tool comparison table.

Future plans:

- Add more artifact types, including cloud-focused artifacts such as account IDs.
- Add more pivot types, especially sample-focused pivots such as registry keys, file names, etc.
- Incorporate threat actor behavior, habits, and patterns as artifacts and pivots (e.g., naming conventions).
- Add case study pages with real-world summaries of investigations, including corresponding pivot maps.
- Add call-outs to artifact pages with useful tips on how to make the most of each artifact.
- Clarify which tool type enables each pivot, with links to the relevant tool page section.
- Elaborate on fingerprint types (such as adding details about each JA4+ fingerprint).
- Add screenshots of commonly used platforms in the tools and artifacts sections.
- Add more real-world historic examples.
- Add more URL and API examples.
- Add more "minimaps".