Mark Parsons, Microsoft As the internet moves to encryption for standard protocols we have seen malware also following that trend by using TLS certificates for encrypting C2 communications. Using open source scanning data projects like Shodan, Censys and Rapid 7 sonar we will discuss ways to use this scanning data. This talk will go over examples of using TLS certificates for tracking multiple activity groups and their infrastructure , ways to find popular post exploitation frameworks and some examples of getting to know your own environment