building-adversary-infrastructure-tracking-system

Featured

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Building Adversary Infrastructure Tracking System ## Overview Adversary infrastructure tracking uses passive DNS records, certificate transparency logs, WHOIS registration data, and IP enrichment to discover, map, and monitor threat actor command-and-control (C2) networks. Attackers frequently reuse hosting providers, registrars, SSL certificates, and naming patterns across campaigns, enabling analysts to pivot from known indicators to discover new infrastructure. This skill covers building an automated tracking system that identifies infrastructure relationships, detects newly registered domains matching adversary patterns, and maintains a continuously updated map of threat actor networks. ## When to Use - When deploying or configuring building adversary infrastructure tracking system capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Python 3.9+ with `requests`, `dnspython`, `python-whois`, `shodan`, `networkx` libraries - API keys: SecurityTrails, PassiveTotal/RiskIQ, Shodan, VirusTotal - Access to passive DNS data sources - Understanding of DNS infrastructure, hosting, and domain registration - Graph database (Neo4j) or NetworkX for relationship visualization ## Key Concepts ### Passive DNS Passive DNS captures historical DNS resolution data, recordin...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

tracking-threat-actor-infrastructure

Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-dns-based-persistence

Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-command-and-control-over-dns

Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-dns-exfiltration-with-dns-query-analysis

Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring.

12,642 Updated today
mukul975
AI & Automation Featured

building-threat-actor-profile-from-osint

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense.

12,642 Updated today
mukul975