analyzing-tls-certificate-transparency-logs
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing TLS Certificate Transparency Logs
分析TLS Certificate Transparency日志
When to Use
使用场景
- When investigating security incidents that require analyzing tls certificate transparency logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
- 当调查需要分析TLS Certificate Transparency日志的安全事件时
- 当为此领域构建检测规则或威胁狩猎查询时
- 当SOC分析师需要此类分析的结构化流程时
- 当验证相关攻击技术的安全监控覆盖范围时
Prerequisites
前提条件
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
- 熟悉安全运营概念和工具
- 可访问测试或实验室环境以安全执行操作
- 安装了Python 3.8+及所需依赖项
- 拥有任何测试活动的适当授权
Instructions
操作步骤
Query crt.sh Certificate Transparency database to find certificates issued for
domains similar to your organization's brand, detecting phishing infrastructure.
python
from pycrtsh import Crtsh
c = Crtsh()查询crt.sh Certificate Transparency数据库,查找与您组织品牌相似的域名所颁发的证书,检测钓鱼基础设施。
python
from pycrtsh import Crtsh
c = Crtsh()Search for certificates matching a domain
Search for certificates matching a domain
certs = c.search("example.com")
for cert in certs:
print(cert["id"], cert["name_value"])
certs = c.search("example.com")
for cert in certs:
print(cert["id"], cert["name_value"])
Get full certificate details
Get full certificate details
details = c.get(certs[0]["id"], type="id")
Key analysis steps:
1. Query crt.sh for all certificates matching your domain pattern
2. Identify certificates with typosquatting variations (Levenshtein distance)
3. Flag certificates from unexpected CAs
4. Monitor for wildcard certificates on suspicious subdomains
5. Cross-reference with known phishing infrastructuredetails = c.get(certs[0]["id"], type="id")
关键分析步骤:
1. 在crt.sh上查询所有匹配您域名模式的证书
2. 识别存在域名仿冒(typosquatting)变体的证书(通过Levenshtein距离)
3. 标记来自意外CA的证书
4. 监控可疑子域名上的通配符证书
5. 与已知钓鱼基础设施进行交叉比对Examples
示例
python
from pycrtsh import Crtsh
c = Crtsh()
certs = c.search("%.example.com")
for cert in certs:
print(f"Issuer: {cert.get('issuer_name')}, Domain: {cert.get('name_value')}")python
from pycrtsh import Crtsh
c = Crtsh()
certs = c.search("%.example.com")
for cert in certs:
print(f"Issuer: {cert.get('issuer_name')}, Domain: {cert.get('name_value')}")