nuclei-templates/ssl/c2/shadowpad-c2.yaml

id: shadowpad-c2

info:
  name: ShadowPad C2 Infrastructure - Detect
  author: pussycat0x
  severity: info
  description: |
    ShadowPad constitutes various plugins having specific functionality and the malware has the capability to “plug” or “unplug” these plugins at run-time in shellcode format. It can also load additional plugins dynamically from the C2 server when required.
  metadata:
    verified: "true"
    max-request: 1
    censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer"
  tags: ssl,tls,c2,ir,osint,malware,shadowpad
ssl:
  - address: "{{Host}}:{{Port}}"
    matchers:
      - type: word
        part: subject_dn
        words:
          - "CN=myServer, OU=mygroup, O=myorganization, L=mycity, ST=myprovince, C=CN"

    extractors:
      - type: json
        json:
          - ".subject_dn"
# digest: 4b0a0048304602210080a0e93344e0cac70d7cb7b9b281eceebba5241a354ad0019b7cee450e50dfb5022100f8b38076a771482ecea1f5f4fab9716ba1dfa0b9351bf2e5543354b01f46818d:922c64590222798bb761d5b6d8e72950
Add files via upload 2023-06-13 18:38:38 +00:00			`id: shadowpad-c2`

			`info:`
			`name: ShadowPad C2 Infrastructure - Detect`
			`author: pussycat0x`
			`severity: info`
			`description: \|`
			`ShadowPad constitutes various plugins having specific functionality and the malware has the capability to “plug” or “unplug” these plugins at run-time in shellcode format. It can also load additional plugins dynamically from the C2 server when required.`
			`metadata:`
TemplateMan Update [Wed Jun 21 21:03:53 UTC 2023] :robot: 2023-06-21 21:03:53 +00:00			`verified: "true"`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
			`censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: ssl,tls,c2,ir,osint,malware,shadowpad`
Add files via upload 2023-06-13 18:38:38 +00:00			`ssl:`
			`- address: "{{Host}}:{{Port}}"`
			`matchers:`
			`- type: word`
			`part: subject_dn`
			`words:`
			`- "CN=myServer, OU=mygroup, O=myorganization, L=mycity, ST=myprovince, C=CN"`

			`extractors:`
			`- type: json`
			`json:`
			`- ".subject_dn"`
Auto Template Signing [Fri Jan 26 08:31:11 UTC 2024] :robot: 2024-01-26 08:31:11 +00:00			`# digest: 4b0a0048304602210080a0e93344e0cac70d7cb7b9b281eceebba5241a354ad0019b7cee450e50dfb5022100f8b38076a771482ecea1f5f4fab9716ba1dfa0b9351bf2e5543354b01f46818d:922c64590222798bb761d5b6d8e72950`