Advanced OSINT & Infrastructure Tracking — CTI Academy

Tracking adversary infrastructure is one of the most impactful capabilities a CTI analyst can develop. While IOCs like IP addresses and domains are inherently perishable, the patterns behind how threat actors build and manage their infrastructure are far more durable. This lesson covers advanced OSINT techniques for discovering, fingerprinting, and tracking adversary infrastructure over time using passive methods that minimize your operational footprint.

Learning Objectives

Use passive DNS data and certificate transparency logs to pivot across adversary infrastructure
Apply TLS fingerprinting techniques (JARM, JA3/JA3S) to identify malicious servers
Understand adversary infrastructure techniques including DGAs, fast flux, and bulletproof hosting
Conduct infrastructure discovery using Shodan, Censys, and similar platforms
Maintain operational security while performing infrastructure tracking

DNS Fundamentals for Analysts

Before diving into advanced techniques, analysts must understand the DNS record types that matter most during investigations.

Record Type	Purpose	Intelligence Value
A	Maps domain to IPv4 address	Core pivot point for infrastructure mapping
AAAA	Maps domain to IPv6 address	Often overlooked; can reveal additional infrastructure
MX	Mail server for the domain	Identifies mail infrastructure; phishing campaign links
TXT	Arbitrary text (SPF, DKIM, verification)	Can reveal hosting providers, services in use
NS	Authoritative nameserver	Clusters infrastructure by shared DNS providers
CNAME	Alias pointing to another domain	Reveals relationships between domains
SOA	Start of Authority with admin email	Admin contact can be a pivot point

Passive DNS Analysis and Pivoting

Passive DNS (pDNS) collects DNS resolution data from sensors distributed across the internet, building a historical record of which domains resolved to which IP addresses and when. Unlike active DNS queries, pDNS lets you look backward in time.

Key Passive DNS Sources

DNSDB (Farsight Security/DomainTools): The largest commercial pDNS database, with billions of records dating back over a decade
VirusTotal: Stores DNS resolutions observed through its scanning infrastructure
RiskIQ/Microsoft Defender TI: Combines pDNS with web crawling data
SecurityTrails: Historical DNS data with an accessible API
CIRCL Passive DNS: A free service operated by CIRCL (Computer Incident Response Center Luxembourg)

Pivoting Techniques

The power of pDNS lies in pivoting — starting from one indicator and discovering related infrastructure.

IP-to-Domain Pivot: Given a known malicious IP, query pDNS to find all domains that have ever resolved to it. Threat actors frequently park multiple domains on the same server.

Domain-to-IP History: Track how a domain's resolution has changed over time. A domain that suddenly moves to a new IP after being reported may indicate the actor is rotating infrastructure.

Shared Infrastructure Clustering: When you find two domains resolving to the same IP during the same time window, investigate whether they share other characteristics (registration patterns, content, TLS certificates). This can reveal campaign infrastructure that hasn't been reported yet.

Key Concept: The most valuable pDNS pivots come from time-bounded queries. An IP address that hosted a malicious domain three years ago and now hosts a legitimate CDN is not a useful connection. Always consider the temporal dimension.

Certificate Transparency Logs

Certificate Transparency (CT) is a framework (RFC 6962) that requires Certificate Authorities to publicly log every TLS certificate they issue. These logs are append-only and publicly searchable.

Using crt.sh

The most accessible CT log search tool is crt.sh, operated by Sectigo. Analysts can search by:

Domain name: Find all certificates ever issued for a domain or its subdomains
Organization name: Find certificates issued to a specific organization
Wildcard searches: Use %.example.com to find all subdomain certificates

Intelligence Applications

Subdomain discovery: CT logs reveal subdomains that may not appear in DNS brute-forcing, including internal-facing services that obtained public certificates
Pre-registration detection: Threat actors who register lookalike domains (typosquatting) and obtain certificates can be detected before they launch phishing campaigns
Infrastructure timeline: Certificate issuance dates help establish when infrastructure was being prepared
Shared certificates: Multiple domains on a single SAN (Subject Alternative Name) certificate reveal infrastructure relationships

WHOIS History and Pivoting

Current WHOIS data has become less useful since GDPR-driven redaction became widespread in 2018. However, historical WHOIS data remains a goldmine.

Useful Pivot Fields

Registrant email: Even if now redacted, historical records may show the email used to register multiple domains
Registrant organization/name: Clusters domains by the same entity
Nameservers: Shared nameservers can indicate common infrastructure management
Registration and expiration dates: Bulk registrations on the same date suggest campaign preparation
Registrar: Some threat actors consistently use specific registrars or resellers

Services like DomainTools, WhoisXML API, and SecurityTrails maintain historical WHOIS databases that preserve data from before GDPR redaction.

TLS Fingerprinting

TLS fingerprinting identifies servers and clients based on the specific parameters they use during the TLS handshake, rather than the content of their communications.

JA3 and JA3S

Developed by Salesforce engineers John Althouse, Jeff Atkinson, and Josh Atkins in 2017, JA3 creates an MD5 hash from specific fields in the TLS Client Hello message: TLS version, accepted ciphers, extensions list, elliptic curves, and elliptic curve point formats. JA3S does the same for the Server Hello response.

JA3 (client fingerprint): Identifies malware families, tools, and applications regardless of the destination IP or domain
JA3S (server fingerprint): Identifies server configurations that persist even when IPs and domains change

The combination of JA3 + JA3S is particularly powerful because the same client talking to the same server type will produce a consistent pair.

JARM

JARM, developed by Salesforce in 2020, actively fingerprints TLS servers by sending 10 specially crafted TLS Client Hello packets and hashing the responses. The resulting JARM hash characterizes the server's TLS configuration.

Intelligence applications of JARM:

Cobalt Strike team servers have known JARM hashes that differ from legitimate web servers
C2 frameworks (Metasploit, Covenant, Sliver, PoshC2) each produce characteristic JARM signatures
Tracking a specific JARM hash across Shodan or Censys can reveal additional C2 servers

Important: JARM is an active technique — you are sending packets to the target server. Use it judiciously and understand the OPSEC implications.

Adversary Infrastructure Techniques

Domain Generation Algorithms (DGAs)

DGAs are algorithms embedded in malware that generate a large number of pseudo-random domain names. The malware attempts to resolve these domains; the attacker only needs to register a few to establish C2 communication. Notable DGA-using malware families include Conficker, CryptoLocker, and Necurs.

Detection approaches: Statistical analysis of domain name characteristics (entropy, consonant-to-vowel ratios, n-gram frequency), NXDomain response volume from a single host, and machine learning classifiers trained on known DGA output.

Fast Flux Networks

Fast flux rapidly rotates the IP addresses associated with a domain, using compromised hosts as proxies. Single-flux changes A records frequently (TTLs of 60-300 seconds across dozens of IPs). Double-flux also rotates the NS records, making takedown significantly harder.

Detection indicators: Extremely low TTL values, large number of A records, geographic diversity of resolved IPs, and IPs belonging to residential ISP ranges (indicating compromised home machines).

Bulletproof Hosting

Bulletproof hosting providers intentionally ignore or are slow to respond to abuse complaints. They often operate in jurisdictions with limited law enforcement cooperation. Historically notable providers include the Russian Business Network (RBN) and McColo (taken down in 2008, which temporarily reduced global spam by 50-75%).

Analysts should maintain awareness of known bulletproof hosting ASNs and monitor for infrastructure appearing in those ranges.

Infrastructure Discovery with Search Engines

Shodan

Shodan indexes internet-connected devices by scanning common ports and collecting banners, headers, TLS certificates, and other metadata. Useful queries for CTI:

Search by SSL certificate hash to find all servers using the same cert
Search by HTTP response headers or page content unique to a C2 framework
Search by JARM hash to find servers with matching TLS configurations
Filter by ASN, country, or port to narrow results

Censys

Censys provides similar capabilities with a focus on structured certificate and host data. Its certificate search is particularly strong for pivoting from one certificate to related infrastructure.

ZoomEye

ZoomEye, operated by Knownsec, provides similar internet scanning capabilities with strong coverage of Chinese IP space and additional web application fingerprinting.

Building Infrastructure Timelines

An infrastructure timeline documents when each component (domain registration, DNS changes, certificate issuance, server deployment) was observed. This reveals:

Preparation patterns: How far in advance actors set up infrastructure before operations
Operational tempo: How frequently infrastructure rotates
Reuse patterns: Whether actors recycle infrastructure across campaigns
Attribution links: Shared infrastructure between seemingly unrelated campaigns

Structure your timeline with dates, the infrastructure element, the data source, and any connections to other elements.

Operational Security for Analysts

When investigating adversary infrastructure, your activities can be detected:

DNS queries: Active lookups of adversary domains may be logged if the actor controls the authoritative nameserver. Use passive DNS instead of direct resolution.
Web requests: Visiting adversary-controlled domains exposes your IP, browser fingerprint, and may trigger alerts. Use isolated VMs, VPNs/Tor, and automated tools rather than browsers.
Scan detection: Active scanning (including JARM) is visible to the target. Prefer passive data from Shodan/Censys when possible.
Search engine artifacts: Some search platforms log queries. Be aware of your organization's acceptable use policies.

Best Practice: Establish a dedicated research environment — a separate VM with a clean browser profile, routing through a VPN or Tor — for any direct interaction with adversary infrastructure. Never use your corporate network directly.

Key Takeaways

Passive DNS enables backward-looking analysis and infrastructure pivoting without alerting adversaries
Certificate transparency logs are an underutilized resource for subdomain discovery and pre-attack detection
TLS fingerprinting (JA3/JA3S, JARM) provides network-level signatures that persist across IP and domain changes
DGAs, fast flux, and bulletproof hosting are adversary techniques designed to make infrastructure tracking harder — understanding them is essential for effective analysis
Infrastructure timelines reveal operational patterns more durable than individual IOCs
Operational security must be a deliberate consideration during every infrastructure investigation

Practical Exercise

Scenario: You have received a report that the domain suspicious-update[.]com (fictional) is associated with a phishing campaign targeting your organization.

Using only free, publicly available tools, perform the following:

Certificate search: Go to crt.sh and search for any real domain of your choosing to practice. Note the subdomains revealed, certificate issuance dates, and SANs.
Passive DNS exploration: Use VirusTotal's free tier to look up a known domain and examine its DNS resolution history. Note how many IPs it has resolved to over time.
Shodan reconnaissance: Search Shodan (free account) for a common C2 framework signature, such as the default Cobalt Strike HTTP response. Observe how many results appear and their geographic distribution.
Build a mini-timeline: Using the data gathered, create a simple timeline document showing when each infrastructure element was first observed.
OPSEC review: Document what traces your research activities left (DNS queries, web requests, API calls) and how you could reduce your footprint next time.