# Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive
Censys, Shodan and Onyphe are great tools for C2 hunting.
- [Censys: Hunt For Threats](https://censys.io/how-we-help/hunt-for-threats)
- [Shodan: Finding the Command & Control Centers of Botnets across the Globe](https://malware-hunter.shodan.io/)
For example, this is an example Censys query for hunting PANDA[^1] C2 servers.
- [("PANDA" AND "SMAdmin" AND "layui")](https://censys.io/ipv4?q=%28%22PANDA%22+AND+%22SMAdmin%22+AND+%22layui%22%29)
![](https://i.imgur.com/9pw7S37.png)
The problem is an IoC management. How do you tell which one is new?
There are several IoC management solutions. [MISP](https://www.misp-project.org/), [CRITs](https://crits.github.io/), [YETI](https://yeti-platform.github.io/), [TheHive](https://thehive-project.org/), etc. My first choice is **TheHive** because of its powerful capabilities of IoC enrichment.
So I created a tool for continuous C2 hunting backended with TheHive.
- [ninoseki/mihari](https://github.com/ninoseki/mihari)
## How it works
- The tool queries a search on Shodan, Censys or Onyphe.
- It checks whether a TheHive instance knows search results (= IoCs) or not.
- If not, it creates an alert on the TheHive instance.
![img](https://github.com/ninoseki/mihari/blob/master/screenshots/alert.png?raw=true)
## How to install
The tool is written in Ruby and packaged as a Ruby gem.
```bash
gem install mihari
```
## How to use
The tool provides simple CLI commands.
```bash
$ mihari
Commands:
mihari censys [QUERY] # Censys IPv4 lookup by a given query
mihari help [COMMAND] # Describe available commands or one specific command
mihari import_from_json # Give a JSON input via STDIN
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
mihari shodan [QUERY] # Shodan host lookup by a given query
```
For instance, let's track PANDA C2s.
```bash
$ mihari censys '("PANDA" AND "SMAdmin" AND "layui")'
A new alret is created. (id: 15f8594409eebb79012f8e00a83c9765)
```
You can preview the alert.
![](https://i.imgur.com/pboyliS.png)
And then you can create a new case or merge the alert into a case.
![](https://i.imgur.com/dpZpADN.png)
You can monitor C2s continuously by setting it as a Cron job.
If you need more complex operations, you can write a custom script.
```ruby
require "mihari"
module Mihari
module Analyzers
class Example < Base
def title
"example"
end
def description
"example"
end
def artifacts
# it should return an array of IoCs
complemx_operations
end
end
end
end
example = Mihari::Analyzers::Example.new
example.run
```
Isn't it nice? Enjoy happy hunting!
[^1]: PANDA is used as a C2 of Android malware targeting Korea.