PIVEX - Pivot Across Every Artifact // H3AD-SEC

36 artifacts168+ pivots

◈

Select an artifact or click any node.

CROSS-PIVOT REFERENCE

FROM	TO	PURPOSE
NETIP	→Domain / FQDN	resolves_to — Passive DNS pivot
NETIP	→SSL Certificate	presents — Cert infra clustering
NETIP	→Net Session	communicates_with — Session pivot
NETDomain	→IP / FQDN / URL	resolves_to / parent_of / hosts
NETDomain	→SSL Certificate	uses — Cert-based infra link
NETURL	→File	delivers — Payload download chain
NETURL	→HTTP Request	requested_via — Request trace
NETNet Session	→IP / Domain	originates_from / queries
NETSSL Certificate	→Domain / IP	issued_to / used_by
NETJA3	→IP / Domain	observed_on / connects_to
NETUser Agent	→URL / Net Session	accesses / part_of
NETDNS Query	→Domain / IP / Host	queries / resolves_to / originates_from
NETNetwork Traffic	→IP / Net Session	involves / part_of — Traffic scope
NETASN	→IP / Domain	contains / resolves_to — Infra attribution
NETPort	→IP / Host / Service	open_on / exposes — Service fingerprint
EPTHash	→File	identifies — File artifact lookup
EPTHash	→URL / IP / Domain	downloaded_from / hosted_on / associated_with
EPTHash	→Process	executed_by — Execution chain
EPTFile	→Hash / Process	has_hash / executed_by
EPTFile	→Host / User	exists_on / owned_by
EPTFile Path	→File	points_to — On-disk lookup
EPTCommand Line	→Process	executed_by — LOLBin / cmdline trace
EPTEvent ID	→Process / Host	observed_on / part_of — Event context
EPTProcess	→Command Line	executed_with — LOLBin analysis
EPTProcess	→Registry	modifies — Persistence write
EPTProcess	→Sched. Task / Startup Item	creates — Persistence chain
EPTProcess	→Process	spawned_by / spawns — Tree walk
EPTProcess	→File / User / Host	runs / executed_as / runs_on
EPTShare	→Host / File / User	exists_on / contains / accessed_by
EPTHost	→Process / File / User	runs / stores / used_by
EPTHost	→Net Session	generates — Session scope
EPTVuln ID	→Host	affects — Affected asset scope
EPTService	→Process / Host / File	runs_as / runs_on / loads — Service chain
EPTMutex	→Process / Host / Hash	created_by / observed_on / associated_with
EPTNamed Pipe	→Process / Host	created_by / observed_on — IPC pivot
EPTDLL	→Process / Host / Hash	loaded_by / observed_on / has_hash
EPTProcess	→Net Session / IP	communicates_with — Network beacon pivot
IDNUser	→Host / Process	logs_into / executes
IDNUser	→IP / Cloud Resource	originates_from / accesses
IDNRDP Session	→Host / User	connects_to / initiated_by
IDNIdentity	→User	represents — Cloud identity map
EMLEmail	→Attachment / URL	contains — Phishing chain
EMLEmail	→Domain	originates_from — Sender pivot
EMLAttachment	→Hash	has_hash — Payload hash
CLDCloud Resource	→Identity / IP	owned_by / exposed_via

DATA SOURCE MAPPING

ARTIFACT TYPE	PRIMARY SOURCES
IP Address	Firewall · SIEM · NetFlow · Proxy · Shodan · AbuseIPDB
Domain	Passive DNS · Proxy logs · DNS server logs · RiskIQ · SecurityTrails
FQDN	DNS logs · Sysmon Event 22 · EDR · Proxy
URL	Proxy logs · Email Gateway · Browser history · EDR · Zeek
DNS Query	DNS logs · Sysmon Event 22 · EDR · Network tap
HTTP Request	Proxy · Zeek · Suricata · Firewall · Network sensor
SSL Cert / SSL Certificate	Censys · Shodan · crt.sh · JARM · Passive DNS
JA3 Hash	Network sensor · Zeek · Suricata · PCAP
User Agent	Proxy · Zeek · Firewall logs · SIEM
Net Traffic	NetFlow · PCAP · Zeek · Suricata · Firewall
Net Session	NetFlow · Firewall · Proxy · Zeek · EDR
ASN	WHOIS · BGP tables · Shodan · RIPEstat · ipinfo.io
Port	Shodan · Censys · Masscan · Nmap · Firewall logs
File Hash	EDR · AV · Sandbox · MalwareBazaar · VirusTotal
File	EDR · Sandbox · AV · MalwareBazaar · File system audit
File Path	EDR · Sysmon Event 11 · MFT · USN Journal · KAPE
Process	EDR · Sysmon Event 1 · WinEvent 4688 · Process Monitor
Command Line	EDR · Sysmon Event 1 · WinEvent 4688 · PowerShell ScriptBlock
Registry Key	Sysmon 12-14 · EDR · WinEvent 4657 · Autoruns · reg.exe
Scheduled Task	WinEvent 4698 · Task Scheduler logs · EDR · Autoruns
Startup Item	Autoruns · EDR · Sysmon · Registry audit · WinEvent 4688
Host	EDR · SIEM · AD · CMDB · Vuln Scanner
Network Share	WinEvent 5140/5145 · EDR · Sysmon · AD
Event ID	Windows Event Log · SIEM · Splunk · Elastic
Vuln ID (CVE)	NVD · CISA KEV · Tenable · Qualys · Shodan
Service	EDR · Sysmon Event 4 · WinEvent 7045 · SC.exe · Autoruns
Mutex	EDR · Sysmon Event 17/18 · Sandbox · Process Monitor
Named Pipe	EDR · Sysmon Event 17/18 · Process Monitor · PipeView
DLL	EDR · Sysmon Event 7 · PE analysis · VirusTotal · Sandbox
User	AD logs · IAM · Okta · SIEM · UEBA
Identity	Azure AD · AWS IAM · GCP SA · Okta · CloudTrail
RDP Session	WinEvent 4624/4778/4779 · EDR · NetFlow · Security Onion
Email	Email Gateway · O365 Message Trace · Proofpoint · Mimecast
Attachment	Email Gateway · Sandbox · AV · EDR · O365 ATP
Cloud Resource	CloudTrail · Azure Monitor · GCP Audit · GuardDuty

NODE LEGEND

NETWORK (14)

ENDPOINT (16)

IDENTITY (3)

EMAIL (2)

CLOUD (1)

Click chip or node → centers artifact, highlights next pivots · Click highlighted node → extends path · Breadcrumb tracks traversal