Let’s Hunt for C2 Servers using Censys

Gotta Fingerprint Em’ All

Introduction

I love Censys. I think it is really exciting trying to look for the next big campaign, a new undocumented C2 server or malware samples that have not been documented before. And if you manage to find an open directory hosted alongside a C2 server then jackpot!

In a previous article, I explained how Censys can be used to look for open directories and some general hunting techniques. In this one, we will be looking at the queries we can use to find some of the more common C2 Frameworks. We will also find out how to share our findings with the rest of the Cybersecurity community.

Basic Query Syntax

TLS Certificates : services.certificate:
Subject CN : services.tls.certificates.leaf_data.subject_dn:
Issuer CN : services.tls.certificates.leaf_data.issuer_dn:
HTML Title : services.http.response.html_title:
Banner Service : services.banner:
Software Name : services.software.product:

P.S: Don’t worry about saving all the syntax here, I’ve uploaded all the queries to GitHub in a link below.

C2 Infrastructure

I’ve only written the simplest queries in this article, there are ways to chain multiple queries together and to use things like TLS certs and favicon hashes.

Cobalt Strike

• services.tls.certificates.leaf_data.issuer.common_name=”Major Cobalt Strike”

Mythic

• services.http.response.html_title=”Mythic”

Metasploit

• services.http.response.html_title: “Metasploit”

Sliver

• services.tls.certificates.leaf_data.subject_dn:”multiplayer”

Havoc

• services.banner: “X-Havoc”

Viper

• services.software.product: Viper

Covenant

• services.http.response.html_title=”Covenant”

SuperShell

• services.http.response.html_title=”Supershell — 登录

Brute Ratel C4

• services.http.response.body_hash=”sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30"

PenTera Red Team

• services.http.response.html_title=”Pentera™”

Sharing your findings with Abuse.ch

This section is for those who want to contribute to the cybersecurity community by uploading their findings to the Abuse.ch database, which in turn allows everyone to use these IOCs to create their own alerts and detection rules.

1. Create an Account:

• Visit the Abuse.ch ThreatFox platform: https://threatfox.abuse.ch/
• Sign up for a free account.

2. Select Threat Type:

• Choose the appropriate threat type from the dropdown menu. This could be a botnet, malware family, or other malicious activity.

3. Select IOC Type:

• Specify the type of indicator of compromise (IOC) you’ve found. Common IOC types include IP addresses, domains, URLs, and hashes.

4. Enter Malware Name:

• If applicable, enter the name of the malware associated with the C2 server.

5. Provide IOC Details:

• Input the IP address and port of the C2 server you’ve identified. This information will be added to the ThreatFox database.

6. Add Additional Details (Optional):

• If you have any other relevant information, such as the malware’s functionality, target victims, or associated domains, feel free to share it.

7. Submit:

• Once you’ve completed the necessary fields, submit your report.

On a side note, I think it’s pretty cool that they actually give you credits for uploading newly discovered C2 servers. These credits could then be used to request specific IOCs that you or your organization need.

I haven’t used this function yet though, just collecting coins and hoping that one day I’ll have a proper use for it.

Crafting your queries

So far I’ve shared the queries that I use when I want to look for specific C2 servers. However, there are a lot of different queries that can be used to achieve the same outcome.

Click on the “VIEW ALL DATA” icon and it will show you more details about this particular software. This allows you to craft your queries based on the signature.

Detailed view of the software

The detailed software view above allows us to craft a couple more queries

services.software.vendor:”Fortra”
services.software.product:”Cobalt Strike”

There are many different ways to go about doing things so just experiment and see what works for you.

Conclusion

That’s it! We learnt some of the different queries that can be used for the more popular C2 Frameworks and how to share your findings with the rest of the cybersecurity community.

I’ve uploaded the rest of the signatures I’ve collected throughout my time on Censys in my Github repo. The list is non-exhaustive and might not be the most effective one as I am relatively new at using this tool, so I would appreciate it if you could share your queries with me in the future.

In my next article, I will talk about my procedures and how I go about looking for these C2 servers.

Additional Resources:

1. Personal Censys Queries
2. Awesome Censys Queries
3. C2IntelFeeds
4. Fox_threatintel on Twitter (this was the guy that inspired me to start playing around on Censys)