Analyzing TLS Certificate Transparency Logs
When to Use
- When investigating security incidents that require analyzing tls certificate transparency logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
Query crt.sh Certificate Transparency database to find certificates issued for
domains similar to your organization's brand, detecting phishing infrastructure.
from pycrtsh import Crtsh
c = Crtsh()
# Search for certificates matching a domain
certs = c.search("example.com")
for cert in certs:
print(cert["id"], cert["name_value"])
# Get full certificate details
details = c.get(certs[0]["id"], type="id")
Key analysis steps:
- Query crt.sh for all certificates matching your domain pattern
- Identify certificates with typosquatting variations (Levenshtein distance)
- Flag certificates from unexpected CAs
- Monitor for wildcard certificates on suspicious subdomains
- Cross-reference with known phishing infrastructure
Examples
from pycrtsh import Crtsh
c = Crtsh()
certs = c.search("%.example.com")
for cert in certs:
print(f"Issuer: {cert.get('issuer_name')}, Domain: {cert.get('name_value')}")
