TLS Certificate
Under Construction
Overview
-
Definition
An SSL/TLS certificate allows systems to verify the identity of another system and establish an encrypted network connection between them using the SSL/TLS protocol. Certificates are often represented using a SHA1 or SHA256 fingerprint.
-
Usecase
Threat actors use these certificates much like in the legitimate usecase, such as to enable encrypted TLS communication between infected clients and C&C servers.
-
Example
cd4c0fe2cb8a00edf4e97a22f550e080a8732b1666c7a16dc01be4ac0ccb2244
is the SHA-1 hash of a certificate in use bygoogle.com
for a period of several weeks in 2024.
- Pivot Map
flowchart LR classDef secondary stroke-dasharray: 5 5 %% define nodes DOMAIN(Domain) SERVER(Server) TLS_CERT(TLS Certificate) TLS_CERT_(TLS Certificate):::secondary %% define edges TLS_CERT -- served by--> SERVER TLS_CERT -- CN --> DOMAIN TLS_CERT <-- authority--> TLS_CERT_ TLS_CERT <-- time--> TLS_CERT_
Pivots
Servers
Servers serving it
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.
Try it out
TO DO
TO DO
TO DO
TO DO
Domains
Example
Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.1
Domains matching its common name (CN)
TLS certificates contain many fields denoting registrant information, registar information, and various "names" indicating which domain or subdomains the certificate applies to. Further pivoting on the domain listed in the common name field (CN) can lead to other certificates listing the same one or similar ones.
Try it out
TO DO
TO DO
TO DO
TO DO
Certificates
Certificates registered with the same authority
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.
Try it out
TO DO
TO DO
TO DO
TO DO
Certificates registered in the same timeframe
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.
Try it out
TO DO
TO DO
TO DO
TO DO