Intel & Burn Detection#

The intel section controls automated burn detection: CT log monitoring, domain reputation checks, threat feed ingestion, and dynamic IP whitelisting.

Schema#

intel:
  auto_block_scanners: true
  dynamic_whitelist_threshold: 3    # valid C2 checkins before IP is whitelisted

  feeds:
    enabled: true
    refresh_interval_hours: 12

  ct_monitor:
    enabled: true
    interval_hours: 4.0
    monitored_domains:
      - "cdn.example.com"           # omit to auto-populate from domains block

  reputation_monitor:
    enabled: true
    interval_hours: 2.0
    check_urlhaus: true             # abuse.ch URLhaus feed
    check_openphish: true           # OpenPhish feed

Dynamic IP Whitelisting#

Beacons start in an unwhitelisted state. Each valid C2 checkin (request that passes all pipeline filters and matches the C2 profile) increments the IP’s checkin counter. When the counter reaches dynamic_whitelist_threshold, the IP is promoted to the dynamic whitelist.

Whitelisted IPs:

  • Skip most pipeline scoring (still checked against blocklist)
  • Are eligible for one-time payload tokens (see Payload Tokens)
  • Can be the recipient of whitelist_on_click from phishing.club events

Certificate Transparency Monitoring#

CT logs record every TLS certificate issued. When an adversary (blue team, threat intel vendor) requests a cert for your C2 or phishing domain — or a closely matching domain — it appears in crt.sh within minutes.

InfraGuard polls crt.sh for each monitored domain. On new issuance:

  • BurnIndicator fires with severity: "critical"
  • Event dispatched to configured plugins (Discord/Slack alert)
  • Logged to tracking DB
ct_monitor:
  enabled: true
  interval_hours: 4.0
  monitored_domains:
    - "login.example.com"
    - "cdn.example.com"

Leave monitored_domains empty to automatically monitor all domains in the domains: block.

Domain Reputation Monitoring#

Checks configured domains against live threat intelligence feeds:

FeedWhat it detects
URLhaus (abuse.ch)Domains hosting malware downloads
OpenPhishActive phishing sites

On a hit, BurnIndicator fires and an alert is dispatched. InfraGuard continues operating — the operator decides whether to burn the domain or switch traffic.

Threat Intel Feeds#

feeds.enabled: true pulls blocklists (IP ranges, known scanner IPs, Tor exits) on the configured refresh interval. These feed the IP filter in the pipeline.

Burn Indicators via Plugins#

All BurnIndicator events route through the same plugin dispatch path as regular request events. A Discord plugin with only_blocked: false and min_score: 0.5 will receive burn alerts.

Example Discord alert for a CT burn:

🔥 BURN ALERT — cdn.example.com
Type: ct_domain_exposure
Severity: critical
Detail: New certificate issued for cdn.example.com at 2026-01-15T03:12:44Z

CLI Intel Commands#

# Block a country
infraguard config intel block-country RU -c config.yaml

# Unblock a country
infraguard config intel unblock-country RU -c config.yaml

# Block an ASN
infraguard config intel block-asn 15169 -c config.yaml

# Block a specific IP
infraguard config intel block-ip 1.2.3.4 -c config.yaml
Backward Pipeline Filters Plugins & Alerting Forward