Anthropic-Cybersecurity-Skills/skills/building-adversary-infrastructure-tracking-system/references/api-reference.md

API Reference: Adversary Infrastructure Tracking

crt.sh (Certificate Transparency)

GET https://crt.sh/?q=%.example.com&output=json

Field	Description
issuer_name	Certificate issuer
name_value	SANs / common names
serial_number	Certificate serial
not_before / not_after	Validity period

URLhaus API

POST https://urlhaus-api.abuse.ch/v1/host/
Body: host=example.com

Returns malicious URLs hosted on the domain.

ThreatFox API

POST https://threatfox-api.abuse.ch/api/v1/
Body: {"query": "search_ioc", "search_term": "1.2.3.4"}

Field	Description
ioc	IOC value
threat_type	botnet_cc, payload_delivery, etc.
malware	Associated malware family
tags	IOC tags

Pivoting Techniques

Pivot	Method
Certificate SANs	crt.sh wildcard search
Shared IP	PassiveTotal, VirusTotal
WHOIS registrant	WHOIS history
DNS history	PassiveDNS (Farsight, CIRCL)
JARM fingerprint	TLS server fingerprinting
HTTP response hash	Favicon hash, body hash

Infrastructure Relationships

Edge Type	Description
shared_certificate	Same TLS cert on different hosts
shared_ip	Multiple domains on same IP
shared_registrant	Same WHOIS registrant
shared_nameserver	Same NS records

MITRE ATT&CK

• T1583 - Acquire Infrastructure
• T1584 - Compromise Infrastructure