Backtracking Attacker Infrastructure

Every piece of infrastructure an attacker stands up leaves a trace, and a hunter who finds one thread can pull the whole operation apart. The mirror of C2 infrastructure design: how a threat-intel analyst takes a single IOC — one domain, IP or certificate — and pivots through passive DNS, WHOIS, Certificate Transparency, JARM/JA3 and Shodan/Censys to map and attribute the whole network. Read it as a hunter to learn the craft, or as an operator to learn what burns you.