tracking-threat-actor-infrastructure

Featured

Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Tracking Threat Actor Infrastructure ## Overview Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, and staging servers. This skill covers using passive DNS, certificate transparency logs, Shodan/Censys scanning, WHOIS analysis, and network fingerprinting to discover, track, and pivot across threat actor infrastructure over time. ## When to Use - When managing security operations that require tracking threat actor infrastructure - When improving security program maturity and operational processes - When establishing standardized procedures for security team workflows - When integrating threat intelligence or vulnerability data into operations ## Prerequisites - Python 3.9+ with `shodan`, `censys`, `requests`, `stix2` libraries - API keys: Shodan, Censys, VirusTotal, SecurityTrails, PassiveTotal - Understanding of DNS, TLS/SSL certificates, IP allocation, ASN structure - Familiarity with passive DNS and certificate transparency concepts - Access to domain registration (WHOIS) lookup services ## Key Concepts ### Infrastructure Pivoting Pivoting is the technique of using one known indicator to discover related infrastructure. Starting from a known C2 IP address, analysts can pivot via: passive DNS (find domains), reverse WHOIS (find related registrations), SSL certificates (find shared certs), SSH key fingerprints, HTTP re...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

building-adversary-infrastructure-tracking-system

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.

12,642 Updated today
mukul975
AI & Automation Featured

building-threat-actor-profile-from-osint

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-threat-actor-ttps-with-mitre-attack

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh

12,642 Updated today
mukul975
AI & Automation Featured

implementing-threat-modeling-with-mitre-attack

Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering with threat landscape, conduct threat assessments for new environments, or justify security tool procurement.

12,642 Updated today
mukul975
AI & Automation Solid

threat-detection

Use when hunting for threats in an environment, analyzing IOCs, or detecting behavioral anomalies in telemetry. Covers hypothesis-driven threat hunting, IOC sweep generation, z-score anomaly detection, and MITRE ATT&CK-mapped signal prioritization.

16,642 Updated yesterday
alirezarezvani