anpa1200/autoWF

# autoWF Infrastructure pivoting for CTI analysts. autoWF takes a seed IOC and expands it through passive DNS, reverse IP, ASN/hosting reuse, TLS certificates, subdomain enumeration, internet-wide search, and WHOIS. The output is not attribution. It is a structured lead graph for analyst review. ## Structure autoWF/ README.md autowf.py requirements.txt examples/ seed-domain.json graph-output.json docs/ pivot-types.md limitations.md tests/ test_normalize_ioc.py ## Pivot Types | Pivot | Purpose | |---|---| | Passive DNS | Historical domain/IP relationships | | Reverse IP | Co-hosted infrastructure | | ASN/hosting reuse | Provider and netblock clustering | | TLS certificates | Certificate reuse and SAN expansion | | Subdomain enumeration | Related host discovery | | Shodan/Censys/FOFA | Internet-exposure enrichment | | WHOIS | Registration and ownership leads | ## Worked Example python autowf.py --ioc suspicious-domain.example --out examples/graph-output.json Input: suspicious-domain.example Output: graph-output.json Result: 1 seed domain, candidate sibling domains, related IPs, reused certificate leads, hosting cluster notes. ## Seed Content Use the workflow and examples from the Infrastructure Pivoting Medium article: https://infosecwriteups.com/infrastructure-pivoting-how-cti-analysts-expand-from-a-single-ioc-to-a-full-attacker-network ## Flagship Milestone This becomes a flagship when it supports repeatable graph export, has sample datasets, and is cited or used by another CTI analyst or OpenCTI workflow. ## Limits Infrastructure pivoting creates hypotheses. Shared hosting, CDN use, reused certificates, sinkholes, and stale DNS can all mislead attribution.