Certificate Transparency Monitoring
Watch CT logs for newly issued certs containing target keywords — discover internal hosts, staging, M&A targets before they go live.
§ Where this technique fits
PKI-CT-MONITOR is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.
§ Dossiers chaining this technique
- step 1 / 6
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- step 6 / 6
Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
§ What commonly comes next
- 01Subdomain Enumerationseen 1×W-RECON-SUBDOMAIN · Reconnaissance