Awesome
Mihari Maltego Transform
The following Maltego Transform can be used to query a local Mihari sqlite3 database to return the detection name (i.e., as stored within the alerts.title
column) associated with an IPv4 address. The transform runs entirely locally and does not require internet connectivity, and can be trivially updated to return other entity data by changing the SQL query within IPToC2.py
.
Installation
git clone
this directorypip install maltego-trx
(may requiresudo
dependant onsite-packages
permissions)- Edit
IPToC2.py
with the absolute path to yourmihari.db
Maltego Transform Configuration
- Go to Transforms -> New Local Transform...
- On the Local Transform Wizard prompt, update as follows:
- Display Name:
Mihari IP to C2
- Description:
Returns the detection name(s) associated with an IPv4 address
- Transform ID:
snkhan.mihari_IPtoC2
- Input entity type:
IPv4 Address
- Display Name:
- On the subsequent Command Line prompt, update as follows:
- Command: Absolute path to python3, use the output of
which python3
- Parameters:
project.py local IPToC2
- Working Directory: Set to (this) cloned directory
- Command: Absolute path to python3, use the output of
Usage
- Select one or multiple IPv4 addresses, or add one to the investigation via the Entity Palette.
- Right-click to summon the Run Transform dialogue, then select Local Transforms -> Mihari IP to C2.
- The Transform Output pane will show the status of the query, and a new Phrase entity type will be added to the investigation, together with an Observed Date annotation, if a match is found.
Note: Maltego does not add seperate Phrase entities with the same detection name but multiple created_at
values (i.e., multiple detections of the same rule, on the same host). The SQL query has been written such that it will always return the most recent observation date of a detection rule, in the event that multiple observations of the same alerts.title
exist.
I'd love to hear your thoughts and feedback. Feel free to say hello on Twitter @snkhan or via LinkedIn.
#cti #threatintelligence #threathunting #infrastructurehunting #mihari #maltego #linkanalysis