montysecurity
commented
2 days ago Working on this, added 4 more from this
"Cobalt Strike C2": [
"services.software.product=`Cobalt Strike`"
],
"AsyncRAT": [
"services.software.product=`AsyncRAT`"
],
"Supershell C2": [
"services.software.product=`Supershell`"
],
"Hak5 Cloud C2": [
"services.software.product=`Cloud C2`"
]
This repo from Threatfox covers a lot of malware hits if you are going to use Censys: https://github.com/censys-workshop/threatfox-censys/blob/main/fingerprints.yaml
I also like to search within their c2, remote-access, security-tool and network-administration labels.
Example: labels:c2 (https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=labels%3Ac2).
I do the same for their Service Names and Services.software.vendor tags.
I find it leads me to a lot of unnamed or lesser known malware/c2/panels.