Hunting Threat Actors with TLS Certificates

Using open source data to defend networks

Mark Parsons / @markpars0ns


Who am I

Mark Parsons

  • Previous life:
    • Incident responder
    • Network defender
    • Occasional threat analyst
  • Now
  • I like to write in python and sometimes go

Who am I not

Animator - Archer

One Direction Fan Fiction???

Traditional methods of hunting / pivoting using network related resources

Passive DNS

Historical mappings of domains to IP addresses and vice versa

Sources of PDNS

Whois tracking

Using domain registrant information to look for other potentially related domains

Sources of trackable whois information

What else could we do that provides pivotable/trackable data

That's right TLS certificates!!!

Quick Caveat

Code signing certificate != TLS certificate

Code signing

TLS certificate

TLS Hunting Basics

Tips to help you get started

Where to start

  • IP to certifcate
  • Certificate to IP

IP to cert example

What certificates have been seen on

This will be covered later in the slides

Certificate to IP example

What IP addresses is a1833c32d5f61d6ef9d1bb0133585112069d770e currently seen on

This will be covered later in the slides

What to consider

  • Look at the time frame the certificate was seen on an IP
  • Was a certificate seen during malicious activity?
  • Do you have malware/implant using TLS?
  • How many other hosts are seen using that TLS certificate?
  • Expiration dates on certificate
  • Issuer
    • Self Signed
    • Free certificate
    • Paid certificate

Network Defense

What you can do to defend your networks

IDS Monitoring - TLS fingerprints

  • Suricata
  • Bro
  • Snort 3 - external package needed

Automate tracking of TLS certs

  • PassiveTotal Monitoring
  • API script
  • Your own local sonar or repo
  • Combo of all of these
  • Put new ip addresses found into monitoring/blocks as needed

More Network defense

More Like Network Hygiene

Most of these you will have to do with your own sonar scan data or data

Look at your netblocks

  • Use your ASN for a search
  • Use your ASN or subnets if sonar data in elasticsearch

What to look for

  • Your security appliances
  • Remote access management
    • HP integrated Lights Out
    • Dell Remote Access Card
  • Websites or services you didn't know about

Look outside your netblocks

  • Look for ceritifcates for your org not inside your netblocks
  • Look for certificates that have email addresses from your org
  • Look for certificates who have your org as a Subject Alt Name
  • Look for dopplegangers of your org
  • Take a look at PassiveTotal keyword searching (DNS, Whois, TLS ) aka brand monitoring

So TLS certificates you say?

Where do you start?

First you need some data

You could ingest sonar SSL scans

Checkout my Python Scansio-Sonar-ES github repo

Or my Golang Sonar-ES-GO github repo

Or use

Or use PassiveTotal Sonar SSL scans

Scans performed by Rapid7

  • Raw data going back to 10/30/2013
  • Easily consumable
  • Updated weekly
  • Incremental in nature
    • certs.gz - Only new sha1s and base64 raw certificate seen that week
    • hosts.gz - SHA1 and host for all hosts seen
  • No public search interface
  • Is weekly frequent enough ?

Maintained by the University of Michigan and University of Illinois Urbana-Champaign

  • Easy to use search interface
  • API Access
  • Frequent Updates
  • All or nothing in nature
    • If there is a delta between scans
    • old scan data is not in main search interface
    • Old scan data is available in json format


  • Should be the first place any analyst goes when performing any infrastructure hunting
  • Merge traditional hunting with new methods
  • Aggregates multiple passive DNS sources
  • Provides WHOIS data
  • Provides references to OpenSource reporting
  • Also has TLS certificates
  • So much more I am only touching the surface

If you aren't you using it

You really should try it out

You won't regret it

Disclamer: PassiveTotal provided me researcher access for data required for this presentation

Some basic examples using PassiveTotal, or a local sonar datastore

What certificates have been seen on

Source: PassiveTotal

Where is a1833c32d5f61d6ef9d1bb0133585112069d770e currently seen


Self Signed Certificates in an ASN with Amazon in the name


Certificates signed by Wosign that have Microsoft in the subject

Source: My sonar es instance

Now that you have seen some very basic examples

Let's do some TLS hunting/pivoting


Remote Code Execution - Word RTF Memory Corruption Vulnerability

Awesome technet article that provided the following:

Yara Sigs!


Command and Control IP

Potential Command and Control Domain

Starting point

Let's do some traditional pivots

Passive DNS records that were active around time of Microsoft report

Whois on domain provided

Repeat two steps above on any new info found

Now let's pivot on the TLS SHA1

SHA1: df7240fb9bcd5312eba5f9c2dde7a29a1dc8f355



Go from one TLS Cert, one IP, and one Domain

Get 6 IPs and Three Domains using same registration info

Palo Alto - Lotus Blossom

Great write up on targeting of Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia and the use of the Elise trojan

Provided csv of iocs on github

IP iocs

TLS Pivot

Hmmm several ip's all using the same TLS cert

Could there be more?

Yup! there is more - lots more

311 more as of 8/15/2016

Certificate Issuer: Eric-Office

Certificate Subject: Eric-Office

Validity Dates: 2012-02-13 - 2022-02-10

Sonar dates

First seen 2013-10-30

Last seen 2016-08-15

Still very active today

APT 28/Sofacy - X Tunnel

Initial IOC

Passive DNS pivot

TLS Certificate pivot on initial IP addresses

Certificate #1

Certificate #2

Pivot on certificate #2

Crowd Strike DNC Report


An overall picture of how long this certificate has been seen by IP

Initial report 2 domains, 2 IPs, 1 TLS Cert

Tradtional pivots reveal 5 interesting domains

Now have 24 IPs, 7 domains, 3 TLS certs

Additional linkages via open source reporting

If you aren't monitoring for this certificate


You probably should :)

PWC Poland Red Team

Inital indicators were several malicious hashes that were shared with me

What piqued my interest was the malware in a few cases was attempting to use DNS to tunnel once running

Passive DNS Pivot on C2 domain

Passive DNS pivot on new IP addresses

SSL pivot on IP addresses

Three ssl certificates to look at

Certifcate #1

Certifcate #2

Certifcate #3

Pivot on the newly discovered TLS certificates

What did we find

  • Three new IP addresses
  • Cert #1 was seen on all five of the original IPs
    • It was also seen on one new IP
  • Cert #2 was seen on four of the five original IPs
    • It was also seen on the same new cert as #1 and two addtional IPs
  • Cert #3 was the same four of the five original IPs as #2
    • It was also seen on the same new cert as #1 and the two addtional IPs as #2

We could have found all of this infrastucture with out doing the certificate pivoting

Multiple passive dns pivots would have eventually gotten us to this point

The certificate pivoting helped connect the dots in the relations of all the infrastructure

Thank You

To the PWC Poland red team for being good sports and allowing me to mention their infrastructure in this talk

PoSeidon - Point of Sale

Initial IOCs

Passive DNS on domains

Pivot on TLS certificates found on IPs

Yeah hard to read and lots of addtional IP addresses

Three ssl certificates with decent clusters

Lets take a look at the details of the certificates

Lets zoom in on the three clusters of ssl certificates

Start with 18 domains, 6 ip addresses

Basic pdns pivot adds 29 new ip addresses

3 new TLS certificates

51 new ip addresses using those TLS certificates

Much more to dig into

More pivots to be done but I will leave this as an exercise for you to try


  • Add SSL cert pivoting to your network infrastructure pivots for addtional data sources
  • Add SSL certificates to network defenses where appropriate
  • Use opensource data to find SSL certificates for your enivornment that you might be unaware of
  • Happy Pivoting!