Home

Awesome

Mihari Maltego Transform

The following Maltego Transform can be used to query a local Mihari sqlite3 database to return the detection name (i.e., as stored within the alerts.title column) associated with an IPv4 address. The transform runs entirely locally and does not require internet connectivity, and can be trivially updated to return other entity data by changing the SQL query within IPToC2.py.

Installation

  1. git clone this directory
  2. pip install maltego-trx (may require sudo dependant on site-packages permissions)
  3. Edit IPToC2.py with the absolute path to your mihari.db

Maltego Transform Configuration

  1. Go to Transforms -> New Local Transform...
  2. On the Local Transform Wizard prompt, update as follows:
    • Display Name: Mihari IP to C2
    • Description: Returns the detection name(s) associated with an IPv4 address
    • Transform ID: snkhan.mihari_IPtoC2
    • Input entity type: IPv4 Address
  3. On the subsequent Command Line prompt, update as follows:
    • Command: Absolute path to python3, use the output of which python3
    • Parameters: project.py local IPToC2
    • Working Directory: Set to (this) cloned directory

Usage

  1. Select one or multiple IPv4 addresses, or add one to the investigation via the Entity Palette.
  2. Right-click to summon the Run Transform dialogue, then select Local Transforms -> Mihari IP to C2.
  3. The Transform Output pane will show the status of the query, and a new Phrase entity type will be added to the investigation, together with an Observed Date annotation, if a match is found.

Note: Maltego does not add seperate Phrase entities with the same detection name but multiple created_at values (i.e., multiple detections of the same rule, on the same host). The SQL query has been written such that it will always return the most recent observation date of a detection rule, in the event that multiple observations of the same alerts.title exist.


I'd love to hear your thoughts and feedback. Feel free to say hello on Twitter @snkhan or via LinkedIn.


#cti #threatintelligence #threathunting #infrastructurehunting #mihari #maltego #linkanalysis