C2 - Detection

2023-02-22 20:37:49 +05:30 · 2023-02-22 20:37:49 +05:30 · 895efa6121
parent 0f0da1670b
commit 895efa6121
3 changed files with 93 additions and 0 deletions
--- a/c2/covenant-c2.yaml
+++ b/c2/covenant-c2.yaml
@ -0,0 +1,31 @@
+id: covenant-c2
+
+info:
+  name: Covenant C2 -Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,
+    and serve as a collaborative command and control platform for red teamers.
+  reference: |
+    https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
+  metadata:
+    verified: true
+    shodan-query: ssl:”Covenant” http.component:”Blazor”
+  tags: c2,ir,osint,covenant
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/covenantuser/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Covenant - Login'
+
+      - type: status
+        status:
+          - 200
--- a/c2/deimos-c2.yaml
+++ b/c2/deimos-c2.yaml
@ -0,0 +1,31 @@
+id: deimos-c2
+
+info:
+  name: Deimos C2 -Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux.
+    It is entirely written in Golang with a front end written in Vue.js.
+  reference: |
+    https://twitter.com/MichalKoczwara/status/1551632627387473920
+  metadata:
+    verified: true
+    shodan-query: http.html_hash:-14029177
+  tags: c2,ir,osint,deimosc2
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Deimos C2'
+
+      - type: status
+        status:
+          - 200
--- a/c2/mythic-c2.yaml
+++ b/c2/mythic-c2.yaml
@ -0,0 +1,31 @@
+id: mythic-c2
+
+info:
+  name: Mythic C2 -Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
+    It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
+  reference: |
+    https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
+  metadata:
+    verified: "true"
+    shodan-query: 'ssl:Mythic port:7443'
+  tags: c2,ir,osint,mythic
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/new/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Mythic'
+
+      - type: status
+        status:
+          - 200