Member-only story
The field manual for tracing attacker infrastructure — from one domain to dozens
32 min read 16 hours ago
--
Press enter or click to view image in full size
Table of Contents
- Introduction: Why Infrastructure Pivoting Is a Core CTI Skill
- The Mental Model: Why Attackers Leave Trails
- The Pivoting Workflow: Domain → IP → ASN → Certificates → Expanded Infrastructure
- Pivot Type 1: Domain → IP Resolution
- Pivot Type 2: Passive DNS — The History Book of the Internet
- Pivot Type 3: IP → ASN / Hosting Reuse
- Pivot Type 4: TLS Certificates — The Most Underused Pivot
- Pivot Type 5: Subdomain Patterns and Enumeration
- Pivot Type 6: Shodan / Censys / FOFA — Fingerprinting Infrastructure
- Pivot Type 7: WHOIS and Registration Pattern Analysis
- The Complete Tooling Stack
- Full Worked Example: Tracing a C2 Network End-to-End
- Automating the Workflow with Python
- Common Pivoting Mistakes and Dead Ends
- Interview-Ready: Answering “How Do You Discover…
