Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive

# Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive Censys, Shodan and Onyphe are great tools for C2 hunting. - [Censys: Hunt For Threats](https://censys.io/how-we-help/hunt-for-threats) - [Shodan: Finding the Command & Control Centers of Botnets across the Globe](https://malware-hunter.shodan.io/) For example, this is an example Censys query for hunting PANDA[^1] C2 servers. - [("PANDA" AND "SMAdmin" AND "layui")](https://censys.io/ipv4?q=%28%22PANDA%22+AND+%22SMAdmin%22+AND+%22layui%22%29) ![](https://i.imgur.com/9pw7S37.png) The problem is an IoC management. How do you tell which one is new? There are several IoC management solutions. [MISP](https://www.misp-project.org/), [CRITs](https://crits.github.io/), [YETI](https://yeti-platform.github.io/), [TheHive](https://thehive-project.org/), etc. My first choice is **TheHive** because of its powerful capabilities of IoC enrichment. So I created a tool for continuous C2 hunting backended with TheHive. - [ninoseki/mihari](https://github.com/ninoseki/mihari) ## How it works - The tool queries a search on Shodan, Censys or Onyphe. - It checks whether a TheHive instance knows search results (= IoCs) or not. - If not, it creates an alert on the TheHive instance. ![img](https://github.com/ninoseki/mihari/blob/master/screenshots/alert.png?raw=true) ## How to install The tool is written in Ruby and packaged as a Ruby gem. ```bash gem install mihari ``` ## How to use The tool provides simple CLI commands. ```bash $ mihari Commands: mihari censys [QUERY] # Censys IPv4 lookup by a given query mihari help [COMMAND] # Describe available commands or one specific command mihari import_from_json # Give a JSON input via STDIN mihari onyphe [QUERY] # Onyphe datascan lookup by a given query mihari shodan [QUERY] # Shodan host lookup by a given query ``` For instance, let's track PANDA C2s. ```bash $ mihari censys '("PANDA" AND "SMAdmin" AND "layui")' A new alret is created. (id: 15f8594409eebb79012f8e00a83c9765) ``` You can preview the alert. ![](https://i.imgur.com/pboyliS.png) And then you can create a new case or merge the alert into a case. ![](https://i.imgur.com/dpZpADN.png) You can monitor C2s continuously by setting it as a Cron job. If you need more complex operations, you can write a custom script. ```ruby require "mihari" module Mihari module Analyzers class Example < Base def title "example" end def description "example" end def artifacts # it should return an array of IoCs complemx_operations end end end end example = Mihari::Analyzers::Example.new example.run ``` Isn't it nice? Enjoy happy hunting! [^1]: PANDA is used as a C2 of Android malware targeting Korea.