Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Indicator Pivoting

Indicator Pivoting

Expand investigations from single IOCs to uncover related attacker infrastructure and campaigns.

Last updated: February 2026

Purpose and Scope

An indicator of compromise rarely exists in isolation. A single malicious domain, IP address, or hash is usually connected to broader attacker infrastructure. This playbook covers techniques for pivoting from initial indicators to discover related infrastructure, identify campaign scope, and inform defensive actions.

Prerequisites

  • Threat intelligence tools: Access to VirusTotal, urlscan.io, WHOIS services, passive DNS, and certificate transparency logs
  • SIEM or analysis platform: Ability to query internal logs with newly discovered indicators
  • Network telemetry: DNS logs, proxy logs, and connection data for validation
  • Documentation system: Place to record pivot paths and findings

Detection Goals

Pivoting aims to answer:

  • What other infrastructure is connected to this indicator?
  • Is this part of a larger campaign or threat actor toolkit?
  • Have we observed related indicators in our environment?
  • What additional indicators should we monitor or block?

Pivot Types

Domain Pivots

  • WHOIS registrant: Same registrant email, name, or organization across domains
  • Name servers: Shared DNS infrastructure across malicious domains
  • IP resolution: Domains resolving to the same IP address
  • Passive DNS: Historical resolutions showing infrastructure changes
  • Subdomains: Other subdomains on the same parent domain
  • Similar naming patterns: Domains following the same generation algorithm

IP Address Pivots

  • Reverse DNS: Other domains resolving to the same IP
  • ASN analysis: Patterns of malicious infrastructure in the same network block
  • Co-hosted domains: Other domains sharing the same server
  • Historical hosting: Previous domains hosted on this IP
  • CIDR neighbors: Related IPs in the same allocation

Certificate Pivots

  • Subject common name: Certificate CN revealing hidden infrastructure
  • Subject alternative names: Other domains in the SAN field
  • Certificate issuer: Patterns in certificate acquisition
  • Serial number reuse: Same certificates deployed across servers
  • Transparency logs: Historical certificate issuance for a domain

File Hash Pivots

  • Behavioral similarity: Files with similar sandbox behavior
  • Code signing: Other files signed with the same certificate
  • Imphash: Executables with matching import tables
  • SSDEEP fuzzy hash: Files with similar content
  • Embedded artifacts: Shared C2 domains, URLs, or strings

Pivoting Workflow

1. Document the Initial Indicator

  • Record indicator type, value, source, and confidence
  • Note what investigation led to this indicator
  • Establish scope: is this from a live incident or proactive hunting?

2. Gather Context

  • Query VirusTotal for reputation and related files/URLs
  • Check urlscan.io for page screenshots and resource relationships
  • Retrieve WHOIS records for domain indicators
  • Query passive DNS services for historical data
  • Search certificate transparency logs

3. Identify Pivot Points

Look for artifacts that connect to other infrastructure:

  • Registration details that appear unique but consistent
  • Hosting patterns and IP neighborhoods
  • Certificate attributes
  • Code or content similarities

4. Execute Pivots

For each pivot point:

  • Search for other indicators sharing that attribute
  • Validate that connections are meaningful, not coincidental
  • Record new indicators discovered
  • Assess confidence in the relationship

5. Validate Against Internal Telemetry

  • Search SIEM for newly discovered indicators
  • Check DNS logs for domain resolutions
  • Review proxy logs for URL or IP hits
  • Search endpoint telemetry for file hashes

6. Prioritize and Act

  • Block high confidence malicious infrastructure
  • Add medium confidence indicators to monitoring
  • Share findings with threat intelligence team
  • Update detection rules based on patterns found

Tools and Techniques

WHOIS and Passive DNS

  • DomainTools: Comprehensive WHOIS and reverse WHOIS
  • SecurityTrails: Historical DNS data
  • RiskIQ PassiveTotal: Infrastructure analysis
  • Farsight DNSDB: Passive DNS database

Certificate Analysis

  • crt.sh: Certificate transparency log search
  • Censys: Certificate and host discovery
  • Shodan: Banner grabbing with certificate data

Malware Analysis

  • VirusTotal: File relationships and behavior
  • Any.Run: Interactive sandbox with network indicators
  • Hybrid Analysis: Detailed behavioral reports
  • MalwareBazaar: Sample repository with tagging

Validation and False Positives

  • Shared hosting can create false connections between unrelated domains
  • Common registrars and privacy services can create coincidental matches
  • Large IP ranges may host both malicious and legitimate content
  • Validate pivots with multiple independent data points
  • Consider timing: did relationships exist at the time of the incident?

Documenting Pivot Paths

Maintain clear records:

  • Starting indicator and source
  • Each pivot point and method used
  • Resulting indicators with confidence levels
  • Validation status for each finding
  • Actions taken (blocked, monitored, shared)

Escalation Guidance

Escalate to incident response when:

  • Pivots reveal hits in internal telemetry
  • Investigation uncovers active compromise indicators
  • Scope suggests targeted campaign against your organization
  • Findings require immediate blocking or containment

References

Previous

OTX and Community Feeds

Next

Enrichment Workflows

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ