Share this page!

Maybe Scrolly?
♠️Michael Koczwara Profile picture
Twitter logo
6 Sep, 7 tweets, 6 min read
Cobalt Strike Hunting with @shodanhq

Default cert:

ssl.cert.serial:146473198

shodan.io/search?query=s…

example

shodan.io/host/155.138.2…

725 hits ImageImageImageImage
Cobalt Strike Hunting

hash + port (FP filtering is required)

hash:-2007783223 port:"50050"

50050 is CS TeamServer port

shodan.io/search?query=h…

example:
beta.shodan.io/host/155.138.2…

1357 hits ImageImageImage
Cobalt Strike Hunting

JARM (FP filtering is required)

ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2

You can get other JARMs from here
github.com/carbonblack/ac…

example
shodan.io/host/18.167.1.…

1519 hits ImageImageImage
Cobalt Strike Hunting

Let's quickly analyse this one

shodan.io/host/18.167.1.…

HTTP/1.1 404 Not Found
Date: Mon, 6 Sep 2021 17:00:39 GMT
Content-Type: text/plain
Content-Length: 0

Typical characteristics of Cobalt Strike
Cobalt Strike Hunting

I scanned suspicious server with Nmap script from @notwhickey

github.com/whickey-r7/gra…

C2 updata.flash-tool.]ml

From the scan results, we can find out info about beacon config such as where the shellcode would spawn, watermark, beacon time, etc Image
from here you can pivot into the VT for additional info

virustotal.com/gui/file/90f67… ImageImage
and @anyrun_app

app.any.run/tasks/4d62d181… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ♠️Michael Koczwara

♠️Michael Koczwara Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MichalKoczwara

♠️Michael Koczwara Profile picture
16 Sep
Red Team bad opsec part 2

Let's start with this legit-looking website

facilities-awareness.]com
13.249.22.]98

When you pay attention you can spot one interesting detail here.

The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com ImageImage
According to Cisco Talos website is categorized as Real Estate. Image
Now let's find out more details about the domain

You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range Image
Read 11 tweets
♠️Michael Koczwara Profile picture
13 Sep
I had a look at another hosting provider Reliablesite.]net from CS C2 104.194.10[.]21 to C2 attributed to #CVE202140444

and it is full of CS C2's

shodan.io/search?query=o…

45.58.124.98 xisiyi.]com
104.194.10.61 kelowuh.]com
104.194.9.236 zosohev.]com

Watermarks: 1580103814
209.222.101.]21 lajipil.]com
104.243.45.]141 radezig.]com
209.222.98.]45 exrap.]com
104.243.32.]108 hulixo.]com
199.127.61.]201 yiyuro.]com
45.58.127.]226 mezugen.]com
45.126.211.]2 hubojo.]com
104.243.34.]215 tubaho.]com
103.195.101.]89 nefida.]com
209.222.97.]3 xegogiv.]com
45.58.113.]178 viwiba.]com
206.221.176.]130 mubuwu.]com
104.243.33.]7 wiwege.]com
199.127.60.]67 zipflag.]com
104.194.8.]164 repdot.]com
209.222.98.]168 lozobo.]com
104.243.40.]249 xicozeh.]com
103.195.100.]89 koviluk.]com
185.150.190.]154 badiwaw.]com
104.243.37.]7 dipadux.]com
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MichalKoczwara has new unrolls!

Check out other threads from @MichalKoczwara!

Read all threads by @MichalKoczwara

:(