1、Steven HarrisFinding Threat Actor Infrastructure With SSL CertificatesOSINT Summit 2025 2025 SANS OSINT Summit2Steven HarrisCertified SANS Instructor for SEC497/SEC587 OSINT classes.Cyber Threat Analyst at Protection Group International:Previously a Detective specialising in Cyber CrimeWeb:www.nixin
2、tel.infoContact:linktr.ee/nixintelEmail:stevennixintel.info2025 SANS OSINT Summit3Roadmap1.SSL Certificates 1012.Attribution3.Finding Hidden Infrastructure4.Internet level hunting with ZGrab2 2025 SANS OSINT Summit4SSL Certificates 101SSL Certificates verify the identity of a website and allow encry
3、pted connections to be made to it using HTTPS.Every SSL certificate is unique.They are made public through certificate transparency logs.Sites like crt.sh provide an easy way to search through these logs.SSL certificates expire or they can be revoked,but they cant be altered after the fact.This mean
4、s we have a public ledger of unalterable,verified information about website relationships.OSINT gold!2025 SANS OSINT Summit5Case Study#1:AttributionSite owners need to verify that they own a particular domain before they can obtain a security certificate.Subject Alternative Name(SAN)certificates can
5、 cover multiple domains in a single certificate.This is a strong indicator of shared control/ownership.This means we can infer relationships about website ownership and control when we see multiple domains sharing the same certificate.2025 SANS OSINT Summit6Case Study#1:AttributionThe website dcweek
6、ly.org was launched in 2022.It was hosted on a Russian IP address and was used to spread false stories about US politicians and promote pro-Russian propaganda.What do the sites SSL certificates tell us about attribution?2025 SANS OSINT Summit7Case Study#1:DC WeeklyCrt.sh searches for dcweekly.org sh