Certificate Transparency (CT) Logs

NetworkDNS AnalysisNetwork Capture

Location

Public CT log servers (crt.sh, Google Argon, Cloudflare Nimbus) or CT monitoring services (Censys, CertStream)

Description

Public append-only logs recording all TLS/SSL certificates issued by participating Certificate Authorities. Searchable by domain name, providing a complete issuance history for any domain with certificate details, validity period, and issuing CA.

Forensic Value

CT logs detect fraudulently issued certificates for organizational domains that could enable man-in-the-middle attacks. Monitoring CT logs proactively reveals when attackers obtain certificates for lookalike phishing domains (typosquatting) before attacks begin. During incident response, CT log searches identify all certificates issued for compromised domains, including wildcard certs that may have been issued to attacker-controlled infrastructure. Historical certificate issuance timelines help establish when attacker infrastructure was prepared.

Tools Required

crt.shCensysCertStreamcurlopenssl

Collection Commands

crt.sh

curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq '.[0:100] | .[] | {name_value, issuer_name, not_before, not_after}' > ct_certs.json

openssl

echo | openssl s_client -connect suspicious-domain.com:443 -servername suspicious-domain.com 2>/dev/null | openssl x509 -noout -text > cert_details.txt

CertStream

python3 -c "import certstream; certstream.listen_for_events(lambda msg,ctx: print(msg['data']['leaf_cert']['subject']['CN']) if 'example' in str(msg.get('data',{}).get('leaf_cert',{}).get('subject',{}).get('CN','')) else None, url='wss://certstream.calidog.io')"

MITRE ATT&CK Techniques

T1573T1071.001T1583.003T1557T1596.003