montysecurity / C2-Tracker

Live Feed of C2 servers, tools, and botnets
545 stars 57 forks source link
cybersecurity infosec osint shodan threat-hunting threat-intelligence

C2 Tracker

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.

Honorable Mentions

Many of the queries have been sourced from other CTI researchers:

Huge shoutout to them!

Thanks to BertJanCyber for creating the KQL query for ingesting this feed

And finally, thanks to Y_nexro for creating C2Live in order to visualize the data

Usage

The most recent collection will be stored in data/. The IPs are seperated by the name of the tool and there is an all.txt that contains all of the IPs. As it currently stands this feed updates weekly on Monday.

Ingestion/Alerting

Investigations/Historical Analysis

What do I track?

Running Locally

If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY, and setup your Censys credentials in CENSYS_API_ID & CENSYS_API_SECRET

python3 -m pip install -r requirements.txt
python3 tracker.py

Contributing

I encourage opening an issue/PR if you know of any additional Shodan/Censys searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, fidelity is paramount (high true/false positive ratio is the focus).

References