mihari v2.3 releases: run OSINT queries & manage results continuously

by do son · Published October 1, 2019 · Updated April 17, 2021

mihari

Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting.

How it works

mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts from the query results.
mihari checks whether a TheHive instance contains the artifacts or not.
- If it doesn’t contain the artifacts:
  - mihari creates an alert with the artifacts on the TheHive instance.
  - mihari sends a notification to Slack. (Optional)
  - mihari creates an event on MISP. (Optional)

You can use mihari without TheHive. But note that mihari depends on TheHive to manage artifacts. It means mihari might make duplications when without TheHive.

Installation

gem install mihari

Or you can use this tool with Docker.

docker pull ninoseki/mihari

Use

mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh and VirusTotal by default.

TheHive alert example

Slack notification example

MISP event example

Tutorial

mihari v2.3 releases: run OSINT queries & manage results continuously

Search

Suggested Reading