Skip to content

TLS Certificate

Under Construction

Overview

  • Definition

    An SSL/TLS certificate allows systems to verify the identity of another system and establish an encrypted network connection between them using the SSL/TLS protocol. Certificates are often represented using a SHA1 or SHA256 fingerprint.

  • Usecase

    Threat actors use these certificates much like in the legitimate usecase, such as to enable encrypted TLS communication between infected clients and C&C servers.

  • Pivot Map 
    flowchart LR
    classDef secondary stroke-dasharray: 5 5

    %% define nodes
    DOMAIN(Domain)
    SERVER(Server)
    TLS_CERT(TLS Certificate)
    TLS_CERT_(TLS Certificate):::secondary

    %% define edges
    TLS_CERT -- served by--> SERVER
    TLS_CERT -- CN --> DOMAIN
    TLS_CERT <-- authority--> TLS_CERT_
    TLS_CERT <-- time--> TLS_CERT_

Pivots

Servers

Servers serving it

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.

Try it out 
TO DO

TO DO

TO DO

TO DO

Domains

Example

Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.1

Domains matching its common name (CN)

TLS certificates contain many fields denoting registrant information, registar information, and various "names" indicating which domain or subdomains the certificate applies to. Further pivoting on the domain listed in the common name field (CN) can lead to other certificates listing the same one or similar ones.

 

Try it out 
TO DO

TO DO

TO DO

TO DO

Certificates

Certificates registered with the same authority

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.

Try it out 
TO DO

TO DO

TO DO

TO DO

Certificates registered in the same timeframe

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In pretium libero libero, at rutrum libero finibus id. In sit amet maximus dui, sed rhoncus lectus. Donec a neque facilisis lacus vestibulum convallis eu et nibh. Vivamus non viverra sapien. Cras scelerisque sem eget sem luctus pulvinar.

Try it out 
TO DO

TO DO

TO DO

TO DO

  1. Identifying MatanBuchus Domains Through Hardcoded Certificate Values