Just wanted to share these cool Censys Search queries for hunting C2s.

PoshC2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+poshc2
#poshC2

AsyncRat C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+asyncrat
#AsyncRAT

Covenant C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+covenant
#covenant

Mythic C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+mythic
#mythic

DeimosC2: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+deimosc2
#DeimosC2

Other C2s that are not “tarpits”: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=labels:%3Ac2+services.software.product%3A+c2+or+services.software.other.value%3A+c2+and+not+labels%3A+tarpit
#c2

#threathunting

I hope is everyone is having a Happy Threat Hunting Thursday! This was a really interesting article by Cisco Talos Intelligence Group focusing on the #Lazarus group and how they found new malware by analyzing the infrastructure that was being reused. Check out the behaviors that the APT group has exhibited as well as characteristics of the #DeimosC2 malware! Enjoy and Happy Hunting!

Lazarus Group's infrastructure reuse leads to discovery of new malware
https://blog.talosintelligence.com/lazarus-collectionrat/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2