Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Michael Koczwara Profile picture
@MichalKoczwara
Sep 16, 2021 11 tweets 4 min read Read on X
Scrolly
Red Team bad opsec part 2

Let's start with this legit-looking website

facilities-awareness.]com
13.249.22.]98

When you pay attention you can spot one interesting detail here.

The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com
According to Cisco Talos website is categorized as Real Estate.
Now let's find out more details about the domain

You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range
Now lets investigate this one

64.69.57.]212

Looks like we have found something interesting here
Cobalt Strike shellcode connecting to 64.69.57.]212
Let's grab the shellcode

app.any.run/tasks/921100ec…
Triage analysis

tria.ge/210916-qvphpsd…
Right, so we know that azuerlink.]net is a Cobalt Strike C2 (other domains are Cobalt Strike C2's as well)

but what about facilities-awarness.]com?
and this is the beacon
Short summary
and this is the real Model Remodel website

https://modelremodel.]com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Michael Koczwara

Michael Koczwara Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MichalKoczwara

Michael Koczwara Profile picture
May 11, 2023
Let's continue with Brute Ratel C4 Hunting 🎯

Last time we started from VT/hash attributed to badger implant, we grabbed one JARM from BRc4 C2 51.77.112.254 and combined with the HTTP Response hash.

Today we will pivot from another Brute Ratel C4 JARM and we will find more… twitter.com/i/web/status/1…
Hunting process 🧪

from our previous rule, we need to find the HTTP headers hash first👇

http.html_hash:182674321 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e

This is our 144518609 HTTP header hash 🔥 twitter.com/i/web/status/1… Image
Now let's combine this new HTTP header http.headers_hash:144518609 with the HTTP Response hash http.html_hash:182674321 and delete JARM from our rule

You should have something like this 👇

http.html_hash:182674321 http.headers_hash:144518609 <- new hunting rule 🎯

Results: 41… twitter.com/i/web/status/1…
Read 4 tweets
Michael Koczwara Profile picture
Jan 2, 2023
Usually, I don't respond to the trolls and shitposters but for that one, I will make an exception.

"Wannabe hero" accused me that I shamed the victims because I dumped TA history logs with scans and burnt a "juicy" source of information accessible for months.
First of all, please go ahead and check the TA logs yourself

gist.github.com/MichaelKoczwar…
My responses:

TA looks like a script kiddie that dumped tools from GitHub from left and right and copied some commands without understanding what is he actually doing 🤦‍♂️
Read 6 tweets
Michael Koczwara Profile picture
Sep 13, 2021
I had a look at another hosting provider Reliablesite.]net from CS C2 104.194.10[.]21 to C2 attributed to #CVE202140444

and it is full of CS C2's

shodan.io/search?query=o…

45.58.124.98 xisiyi.]com
104.194.10.61 kelowuh.]com
104.194.9.236 zosohev.]com

Watermarks: 1580103814
209.222.101.]21 lajipil.]com
104.243.45.]141 radezig.]com
209.222.98.]45 exrap.]com
104.243.32.]108 hulixo.]com
199.127.61.]201 yiyuro.]com
45.58.127.]226 mezugen.]com
45.126.211.]2 hubojo.]com
104.243.34.]215 tubaho.]com
103.195.101.]89 nefida.]com
209.222.97.]3 xegogiv.]com
45.58.113.]178 viwiba.]com
206.221.176.]130 mubuwu.]com
104.243.33.]7 wiwege.]com
199.127.60.]67 zipflag.]com
104.194.8.]164 repdot.]com
209.222.98.]168 lozobo.]com
104.243.40.]249 xicozeh.]com
103.195.100.]89 koviluk.]com
185.150.190.]154 badiwaw.]com
104.243.37.]7 dipadux.]com
Read 9 tweets
Michael Koczwara Profile picture
Sep 6, 2021
Cobalt Strike Hunting with @shodanhq

Default cert:

ssl.cert.serial:146473198

shodan.io/search?query=s…

example

shodan.io/host/155.138.2…

725 hits ImageImageImageImage
Cobalt Strike Hunting

hash + port (FP filtering is required)

hash:-2007783223 port:"50050"

50050 is CS TeamServer port

shodan.io/search?query=h…

example:
beta.shodan.io/host/155.138.2…

1357 hits ImageImageImage
Cobalt Strike Hunting

JARM (FP filtering is required)

ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2

You can get other JARMs from here
github.com/carbonblack/ac…

example
shodan.io/host/18.167.1.…

1519 hits ImageImageImage
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(