id: shadowpad-c2

info:
  name: ShadowPad C2 Infrastructure - Detect
  author: pussycat0x
  severity: info
  description: |
    ShadowPad constitutes various plugins having specific functionality and the malware has the capability to “plug” or “unplug” these plugins at run-time in shellcode format. It can also load additional plugins dynamically from the C2 server when required.
  metadata:
    censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer"
    max-request: 1
    verified: "true"
  tags: c2,ir,osint,malware

ssl:
  - address: "{{Host}}:{{Port}}"

    matchers:
      - type: word
        part: subject_dn
        words:
          - "CN=myServer, OU=mygroup, O=myorganization, L=mycity, ST=myprovince, C=CN"

    extractors:
      - type: json
        json:
          - ".subject_dn"