An informal page for storing Censys/Shodan queries that have returned interesting results.
Including examples for -
- AsyncRAT, Solarmarker, Amadey, Quasar, Laplas, Sliver, Mythic, Qakbot + more
AsyncRAT - Common x509 Certificates
Hardcoded values in x509 certificates used for TLS communication.
services.tls.certificates.leaf_data.subject.common_name:"AsyncRAT Server" or services.tls.certificates.leaf_data.issuer.common_name:"AsyncRAT Server"
(Link)
Solarmarker/Jupyter - SSH Configuration Commonalities
Commonalities between ssh host key and running ports. Typically only ports 22 and 80. SSH host key is the primary piece here.
services:(ssh.server_host_key.fingerprint_sha256 = "c655bae831ca57a857b26d76a7c98a56a65d00fdab7d234a64addf8166e3cd09" and port = 22) and services:(service_name:HTTP and port:80) and not services.port:993
Qakbot (Possibly Pikabot) - Masquerading as Slack
Qakbot C2's masquerading as a slack-related site. It is also possible that this is Pikabot which uses similar tactics.
not dns.reverse_dns.names:* and services.http.response.html_title:"Slack is your productivity platform | Slack"
Cobalt Strike - Default Certificate Values
Very generic Cobalt strike indicators based on default certificate values. Likely very unsophisticated actors.
services.tls.certificates.leaf_data.issuer.common_name="Major Cobalt Strike"
(Link)services.tls.certificates.leaf_data.issuer.organization="cobaltstrike"
(Link)services.tls.certificates.leaf_data.issuer.organizational_unit="AdvancedPenTesting"
(Link)services.tls.certificates.leaf_data.subject.province="Cyberspace" and services.tls.certificates.leaf_data.subject.country="Earth"
(Link)ssl.cert.subject.cn:"Major Cobalt Strike"
(Link)ssl.cert.issuer.cn:"Major Cobalt Strike"
(Link)
Remcos - Re-Used SSH Host Key and Usage of Hestia Control Panel
At least two of these servers are related to Remcos rat. There is a re-used ssh host key that is also related to Jupyter/Solarmarker.
services:(ssh.server_host_key.fingerprint_sha256 = "c655bae831ca57a857b26d76a7c98a56a65d00fdab7d234a64addf8166e3cd09" and port = 22) and services:(http.response.html_title:hestia)
Amadey Bot - Re-used Certificate Values
Re-used CN name in TLS certificates, as well as unique and re-used HTTP response body containing Russian swear words. Full Analysis Here.
services.tls.certificates.leaf_data.subject.common_name:"desas.digital"
services.http.response.body_hash:"sha1:e084a66d16925abf43390c59d783f7a2fb49752d"
Quasar RAT - Re-used Certificate Values
Re-used CN name used in TLS certificates. Full Analysis Here.
services.tls.certificates.leaf_data.subject.common_name: "Quasar Server CA"
(Link)
Laplas Clipper - Re-used Certificate Values
Re-used CN name used in TLS certificates. Full Analysis here.
services.tls.certificates.leaf_data.subject.common_name:"Laplas.app" or services.tls.certificates.leaf_data.issuer.common_name:"Laplas.app"
- (Link)
Sliver C2 - Re-used Certificate Values
Re-used CN names in TLS certificates. Twitter Post
services:(tls.certificates.leaf_data.subject.common_name:multiplayer and tls.certificates.leaf_data.issuer.common_name:operators)
- (Link)
Mythic C2 - Default HTML Title + Default Favicon
Default HTML Titles, favicon hash and CN name.
(services.http.response.html_title="Mythic") or services.http.response.favicons.md5_hash="6be63470c32ef458926abb198356006c" or services.tls.certificates.leaf_data.subject.common_name="Mythic"
- (Link)
Viper Servers - Default String + Favicon Hash
Queries based on "Viper" string in html title and response. Not 100% sure what viper is.
A lot of Viper servers seem to have cobalt strike running on alternate ports.
http.html_hash:-1250764086
(Link)+http.title:"viper" +http.html:viper +"Content-Length: 69"
(Link)services.http.response.favicons.md5_hash="a7469955bff5e489d2270d9b389064e1"
(Link)services:(http.response.html_title:"Viper" and http.response.body:Viper and http.response.headers.content_length:69)
(Link)
Cobalt Strike - Ja3 + Empty Certificate Values
Overlapping ja3s and lack of issuer/common names in certificate.
Unconfirmed if all are cobalt strike but at least a few were sucessful hits.
services:(tls.ja3s:475c9302dc42b2751db9edcac3b74891 and tls.certificates.leaf_data.subject.common_name="" and tls.certificates.leaf_data.issuer.common_name="")
- (Link)
Open Directories - .exe files on port 8000
Open directories residing on port 8000 and containing at least one .exe file. Reasonable number of false positives, but a lot of interesting results. eg servers containing revshell.exe
and similar.
services:(http.response.html_title:"Directory Listing" and http.response.body:*.exe and port:8000) and not services.port:53 and not services.port:[10000 to 65535]
Open Directories - Referencing Netcat
Open directories containing references to netcat nc.exe
services.http.response.body:"nc.exe" or services.http.response.body:"ncat.exe"
Open Directories - Referencing Common Attack Tooling
Open Directories Containing references to attack tooling. procdump.exe
, nc.exe
, ngrok.exe
etc.
services.http.response.body:"procdump.exe" or services.http.response.body:"nc.exe" or services.http.response.body:"shell.exe" or services.http.response.body:"revshell.exe" or services.http.response.body:"cs.exe" or services.http.response.body:"chisel.exe" or services.http.response.body:"impacket" or services.http.response.body:ngrok.exe
Open Directories - Referencing Powershell Scripts
Open directories containing a file with .ps1
extension. Most of these contain suspicious Powershell scripts.
- (Any .ps1 script)
services:(http.response.body:*.ps1 and http.response.html_title:"Directory Listing" and banner:Python)
services:(http.response.html_title:"Directory Listing" and http.response.body:?.ps1)
(Single char .ps1 name)
Open Directories - Referencing Anydesk Remote Access Tooling
Open directories with references to Anydesk (remote access tooling). Typically in the form of anydesk.exe
or anydesk.bat
and coupled with other suspicious files.
services:((http.response.body:anydesk.*) and http.response.html_title:"Directory listing")
Open Directories - Short Executable Names
Open directories containing .exe
files with single or double character exe names.
services:(http.response.html_title:"Directory Listing" and http.response.body:??.exe)
services:(http.response.html_title:"Directory Listing" and http.response.body:?.exe)
Open Directories - Single Char Batch Scripts
Suspicious single-character .bat
files inside of open directories. eg 1.bat
services:(http.response.html_title:"Directory Listing" and http.response.body:?.bat)
Open Directories - Executable and Script Files
Open directories containing a .exe
file and at least one of .vbs,.ps1,.bat
. Mostly malicious.
services:(http.response.body:.exe and (http.response.body:.vbs or http.response.body:ps1 or http.response.body:.bat) and http.response.html_title:"Directory Listing")
ProtonVPN Behind Dynamic DNS - Observed in AsyncRAT
Dynamic dns resolving to protonVPN instances. Observed with AsyncRAT fresh03.ddns[.net]
resolving to (VPN) 46.166.182[.]34
. Difficult to confirm the nature of results as minimal services are running and port forwarding likely used.
services.tls.certificates.leaf_data.subject.common_name:*protonvpn.net and dns.names:*.ddns.net
WhiteSnake Stealer - Common Patterns in HTTP Response
Common patterns in http responses for WhiteSnake stealer control panels.
Original IP that inspired query is from RussianPanda's blog.
services:(http.response.body:DutchCoders and http.response.body:keybase and http.response.body:Virustotal)
Sign up for Embee Research
Malware Analysis and Threat Intelligence Research
No spam. Unsubscribe anytime.