Are you a threat researcher? Surely by now you’ve heard of PassiveTotal, created a FREE account, and discovered how super awesome it is. The project is created & run by masterminds @9bplus and @seginty and has undergone some rapid iterations. It’s already pretty fantastic and it’s only going to get better. Did I mention that it’s free? That’s free as in all you have to do is give back to get more dataz. Since this follows with our goal of helping to make analysis faster and stronger for you all, we thought it was a great opportunity to host a useful community-focused transform set.
After adding the seed to your Maltego client (which will be pushed to all accounts), you’ll have access to transforms and it’ll also pull down a small configuration file. It’s worth noting that you’ll need a valid commercial license for Maltego since it’s a private transform server, but hey, the Paterva crew is pretty awesome and supporting them is never a bad thing. So now that that’s taken care of, let’s get to the good stuff!
As is expected, the primary entities the PassiveTotal transforms run on are Domains and IP Addresses. You can see the selection of transforms here, which are mirrored for IPs.
While most of the transforms are pretty self explanatory, it’s useful to see what type of data is returned if it’s present in PassiveTotal. For instance, when we check to see if the domain us.mirefocus[.]com is present with ptCheckDomain, the following properties are returned to the entity:
Since we can see that the domain has an IP address associated with it, we can continue by pulling that information. If you have pDNS access via Farsight (and others in the future), you can link your API key to your PassiveTotal account to also pull that information at the same time. For the purposes of this demonstration, we haven’t done that, though they have donated 50 free queries for all accounts.
We can see that the results show that the IP isn’t a known sinkhole, that the data is present in three different sources, and where the IP is located. Pivoting off of the IP, we can quickly pull some additional domains from the data. From there, perhaps we already know the mirefocus domains are related to targeted activity. We can quickly classify them as such in PassiveTotal by selecting the ptClassifyTargetedDomain transform.
Similarly, perhaps we know that those domains are attributed to ERRPERRTERRR originating from China, and that the root mirefocus domain was serving up a Mirage RAT dropper. Those attributes are likely to make good tags within the system so we can use the ptTagDomain transform to automatically apply the tags. Submitting IPs & Domains, Tagging, and Classifying all count as contributions back to the system and will automatically increase your query limits as you do so.
This is good representation of the type of quick analysis available via data in the PassiveTotal system. The GUI provides even more functionality such as activity timelines, resolution geo-maps, and recent activity. The system itself is quite powerful and the Maltego functionality allows for some quick analysis. Combining PassiveTotal with other available data sets allows an analyst to quickly expand the scope of the work even wider as we can see with the resulting graph below.