id: shadowpad-c2 info: name: ShadowPad C2 Infrastructure - Detect author: pussycat0x severity: info description: | ShadowPad constitutes various plugins having specific functionality and the malware has the capability to “plug” or “unplug” these plugins at run-time in shellcode format. It can also load additional plugins dynamically from the C2 server when required. metadata: verified: "true" max-request: 1 censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer" tags: c2,ir,osint,malware,ssl,shadowpad ssl: - address: "{{Host}}:{{Port}}" matchers: - type: word part: subject_dn words: - "CN=myServer, OU=mygroup, O=myorganization, L=mycity, ST=myprovince, C=CN" extractors: - type: json json: - ".subject_dn" # digest: 4b0a00483046022100801d0eac57dcaea6ead9f73ae87df1ddae1d10af44cef83c7cf9aa1df301a218022100ec2cb944a664e3edc37a2c57cfb4e0a80f7086017b5f2b9c2bdd934b542f87b5:922c64590222798bb761d5b6d8e72950