Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Michael Koczwara Profile picture
Michael Koczwara
@MichalKoczwara
Threat Researcher 🎯 @Intel_Ops_io
May 11, 2023 4 tweets 3 min read
Let's continue with Brute Ratel C4 Hunting 🎯

Last time we started from VT/hash attributed to badger implant, we grabbed one JARM from BRc4 C2 51.77.112.254 and combined with the HTTP Response hash.

Today we will pivot from another Brute Ratel C4 JARM and we will find more… twitter.com/i/web/status/1… Hunting process 🧪

from our previous rule, we need to find the HTTP headers hash first👇

http.html_hash:182674321 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e

This is our 144518609 HTTP header hash 🔥 twitter.com/i/web/status/1… Image
Jan 2, 2023 6 tweets 1 min read
Usually, I don't respond to the trolls and shitposters but for that one, I will make an exception.

"Wannabe hero" accused me that I shamed the victims because I dumped TA history logs with scans and burnt a "juicy" source of information accessible for months. First of all, please go ahead and check the TA logs yourself

gist.github.com/MichaelKoczwar…
Sep 16, 2021 11 tweets 4 min read
Red Team bad opsec part 2

Let's start with this legit-looking website

facilities-awareness.]com
13.249.22.]98

When you pay attention you can spot one interesting detail here.

The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com According to Cisco Talos website is categorized as Real Estate.
Sep 13, 2021 9 tweets 3 min read
I had a look at another hosting provider Reliablesite.]net from CS C2 104.194.10[.]21 to C2 attributed to #CVE202140444

and it is full of CS C2's

shodan.io/search?query=o…

45.58.124.98 xisiyi.]com
104.194.10.61 kelowuh.]com
104.194.9.236 zosohev.]com

Watermarks: 1580103814 209.222.101.]21 lajipil.]com
104.243.45.]141 radezig.]com
209.222.98.]45 exrap.]com
104.243.32.]108 hulixo.]com
199.127.61.]201 yiyuro.]com
45.58.127.]226 mezugen.]com
45.126.211.]2 hubojo.]com
104.243.34.]215 tubaho.]com
103.195.101.]89 nefida.]com
209.222.97.]3 xegogiv.]com
Sep 6, 2021 7 tweets 6 min read
Cobalt Strike Hunting with @shodanhq

Default cert:

ssl.cert.serial:146473198

shodan.io/search?query=s…

example

shodan.io/host/155.138.2…

725 hits ImageImageImageImage Cobalt Strike Hunting

hash + port (FP filtering is required)

hash:-2007783223 port:"50050"

50050 is CS TeamServer port

shodan.io/search?query=h…

example:
beta.shodan.io/host/155.138.2…

1357 hits ImageImageImage