This week we released an update to our PassiveTotal Maltego transform set, which takes advantage of our updated API and newly released proprietary data sets to provide our community with even more insight into suspicious and malicious infrastructure. With today’s release, PassiveTotal puts more than 100 transforms at our users finger tips, makings it easier than ever to harness the full power of our data within Maltego.
How Do I Get Them?
PassiveTotal transforms are available via the Paterva Transform Hub and hosted by our partner Malformity Labs. When you first open Maltego, you should see the Transform Hub similar to the image above. If not, click the Maltego circle in the top left corner, browse to "tools" and then "home".
Once installed, you should see a PassiveTotal section within your palette. When first running the transforms, you will be prompted to enter your username and API key. Your username is the email address you use when signing into PassiveTotal and you can find you API key in your account settings.
For organizations who manage their own transform distribution servers, PassiveTotal transforms are publicly available through our Github account. The transform set can be accessed and downloaded here.
We’ve updated the way users authenticate to our API from Maltego, adding in a username association alongside our API key. So next time you log into Maltego, ensure you update the available transforms in the Transform hub, and go into settings and add your PassiveTotal username to ensure easy future use of the transforms.
Improving the Fundamentals
The data you have always come to PassiveTotal for - aggregated passive DNS, is still at the center of our solution. Analysts can quickly get a holistic picture of historical resolution based on RiskIQ’s DNSIQ database, combined with access to partner repositories all in a single transform.
From here an analysts could quickly query PassiveTotal for all known subdomains of passivetotal.org. This reveals, 5 fully quallifed domains associated with passivetotal.org and immediately provides multiple additional avenues of research, in addition to the IP address leads.
If we want to know more about the PassiveTotal domain, we can pull in WHOIS information from the RiskIQ repository and find detailed registration information for passivetotal.org.
RiskIQ’s WHOIS repository is fully indexed, and our updated transform set provides analysts with the ability to conduct reverse WHOIS queries based off all of the facets above.
Similarly, we can use our multi-year repository of SSL certificates (passive SSL) in order to surface certificate leads associated to the various IP addresses we found from passive DNS. Within one-click, we are able to identify eight different SSL certificates, some with varying details not necessarily related to PassiveTotal giving us a glimpse into the previous use of the IPs.
Enrichment and Context
Context is key in quickly determining if an indicator of interest is suspicious. PassiveTotal’s updated transforms look to provide analysts even better context to entities in Maltego through our vast open source intelligence and malware association repository. Using PassiveTotal transforms, analysts can quickly identify malware hashes associated with an IOC in question or if an entity has been previously seen in public reporting, thereby making connecting the dots between attacks campaigns even easier and more straightforward.
New Sources of Data
While you can see we have taken some time to improve our previous set of transforms, we have also added a multitude of brand new transforms to take advantage of RiskIQ data sets within PassiveTotal. These new data sets open up even more opportunities to connect attack campaigns, surface new suspicious infrastructure, and better defend your network.
Host Attributes and Trackers
Last week we released a blog titled Surfacing Infrastructure with Trackers, which provided an introduction to our host attributes database and presented a great example of how this data could be used to surface suspicious entities in our UI. This week we are excited to introduce transforms that let our users access this data set in Maltego. As seen in the image below, we are able to associate three Google Analytics IDs and Trackers with passivetotal.org by using the [PT] Get Host Attribute Trackers transform.
From there analysts can continue to build out associations pivoting off of the tracker ID using the [PT] Search Trackers - Google Analytics transforms to use these codes to find other domains where they have been used, in this case we find blog.passivetotal.org and www.passivetotal.org
The ability to pivot off of tracking codes to surface suspicious or known bad entities has proven useful for both cybercrime and cyber espionage analysis.
In additional to host attributes, we have also added access to our web components data set, which allows analysts to query a domain for all known components that make up the webpage in question. As can be seen in the example below using passivetotal.org, analysts have access to a significant amount of data. A quick scan of the entities shows that PassiveTotal uses a handful of Google analytics and marketing add-ons, and is running Apache, using the Ubuntu operating system and multiple jQuery libraries.
While we can’t show off the full scope of our updated transform sets capabilities in a single blog post, I hope we have excited you enough to go take a look at the entire set for yourself. We are constantly searching for new and innovative ways to access and query our data set, so as you start to investigate new incidents using the updated transforms, if you think of any additional information or transforms that could aid in your investigation, send a message to firstname.lastname@example.org and let us know how we can help.