diff --git a/readme.md b/readme.md index 23462b0..530ae29 100644 --- a/readme.md +++ b/readme.md @@ -28,6 +28,7 @@ The world and its devices are quickly becoming more connected through the shiny - [Printers & Copiers](#printers--copiers) - [Home Devices](#home-devices) - [Random Stuff](#random-stuff) +- [Threat hunting](#threat-hunting) --- @@ -689,6 +690,59 @@ port:17 product:"Windows qotd" "X-Recruiting:" ``` +## Threat-hunting + + +### C2 traffic [πŸ”Ž →](https://www.shodan.io/search?query=product%3A%22c2%22) +Find IP's used for Command and Control traffic (marked with the 'C2' tag by Shodan) + +``` +product:"c2" +``` + +### Cobalt Strike [πŸ”Ž →](https://beta.shodan.io/search?query=product%3A%22Cobalt+Strike+Beacon%22) + + +Cobalt Strike was one of the first public red team command and control frameworks. In 2020, HelpSystems acquired Cobalt Strike to add to its Core Security portfolio and pair with Core Impact. Today, Cobalt Strike is the go-to red team platform for many U.S. government, large business, and consulting organizations. + + +``` +product:"Cobalt Strike Beacon" +``` + + +### Metasploit Framework [πŸ”Ž →](https://beta.shodan.io/search?query=ssl%3A%22MetasploitSelfSignedCA%22) + +A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks. + +``` +ssl:"MetasploitSelfSignedCA" +``` + + +### Covenant [πŸ”Ž →](https://www.shodan.io/search?query=ssl%3A%22covenant%22+http.component%3A%22Blazor%22) +Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. + +``` +ssl:"covenant" http.component:"Blazor" +``` + + +### Mythic [πŸ”Ž →](https://www.shodan.io/search?query=SSL%3AMythic+port%3A7443) +A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI. It’s designed to provide a collaborative and user-friendly interface for operators, managers, and reporting throughout red teaming. + +``` +SSL:Mythic port:7443 +``` + + +### Brute Ratel C4 [πŸ”Ž →](https://www.shodan.io/search?query=http.html_hash%3A-195716165) +Brute Ratel C4 (BRc4), is the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. + +``` +http.html_hash:-195716165 +``` + --- @@ -706,4 +760,8 @@ Bon voyage, fellow penetrators! πŸ˜‰ To the extent possible under law, [Jake Jarvis](https://jarv.is/) has waived all copyright and related or neighboring rights to this work. -Mirrored from a blog post at https://jarv.is/notes/shodan-search-queries/. +Mirrored from a blog post at: + +- https://jarv.is/notes/shodan-search-queries/. +- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/ +- Source/Credits: ht://twitter.com/MichalKoczwara/