montysecurity/C2-Tracker

# C2 Tracker C2 Tracker 是一个免费、社区驱动的 IOC 供源，它使用 [Shodan](https://www.shodan.io/) ~~和 [Censys](https://search.censys.io/)~~ 搜索来收集已知的恶意软件/僵尸网络/C2 基础设施的 IP 地址。 ## 特别致谢 许多查询来源于其他 CTI 研究人员： - [BushidoToken](https://twitter.com/BushidoToken) - [Michael Koczwara](https://twitter.com/MichalKoczwara) - [ViriBack](https://twitter.com/ViriBack) - [Gi7W0rm](https://twitter.com/Gi7w0rm) - [Glacius_](https://twitter.com/Glacius_) - [corumir](https://github.com/corumir) - [salmanvsf](https://x.com/salmanvsf) - [SecurityJosh](https://github.com/SecurityJosh) 非常感谢他们！ 感谢 [BertJanCyber](https://twitter.com/BertJanCyber) 创建了用于摄入此供源的 [KQL query](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting/TI%20Feed%20-%20MontySecurity%20C2%20Tracker%20All%20IPs.md) 最后，感谢 [Y_nexro](https://twitter.com/Y_NeXRo) 创建了 [C2Live](https://github.com/YoNixNeXRo/C2Live)，用于可视化数据以及位于 [c2tracker.com](https://c2tracker.com) 的网站版本 ## 用法 最新的收集数据将存储在 `data/` 中。IP 按工具名称分类，还有一个包含所有 IP 的 `all.txt` 文件。目前该供源每周一更新。 ### 摄入/告警 - 如果你的 SIEM/EDR/TIP 能够从远程来源摄入数据，那么你可以使用原始文本格式的文件。请参阅上方 BertJanCyber 的 KQL 查询作为示例 - FortinetSIEM 7.2.0 增加了对该情报供源的支持 - `https://docs.fortinet.com/document/fortisiem/7.2.0/release-notes/553241/whats-new-in-7-2-0` ### 调查/历史分析 - 该仓库本质上具有版本控制功能。这意味着你可以搜索仓库的历史记录，查看某个 IP 何时出现在结果中。我曾使用我的另一个公开工具 [GitHub Repo OSINT Tool](https://github.com/montysecurity/GROT) 来实现此目的。 - 有一个针对此项目的 OpenCTI 连接器，可以在[这里](https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/montysecurity-c2-tracker)找到 - 不建议在生产环境中使用 ## 我追踪什么？ - C2's - [Cobalt Strike](https://www.cobaltstrike.com/) - [Metasploit Framework](https://www.metasploit.com/) - [Covenant](https://github.com/cobbr/Covenant) - [Mythic](https://github.com/its-a-feature/Mythic) - [Brute Ratel C4](https://bruteratel.com/) - [Posh](https://github.com/nettitude/PoshC2) - [Sliver](https://github.com/BishopFox/sliver) - [Deimos](https://github.com/DeimosC2/DeimosC2) - PANDA - [NimPlant C2](https://github.com/chvancooten/NimPlant) - [Havoc C2](https://github.com/HavocFramework/Havoc) - [Caldera](https://caldera.mitre.org/) - [Empire](https://github.com/EmpireProject/Empire) - [Ares](https://github.com/sweetsoftware/Ares) - [Hak5 Cloud C2](https://shop.hak5.org/products/c2) - [Pantegana](https://github.com/cassanof/pantegana) - [Supershell](https://github.com/tdragon6/Supershell/tree/main) - [Vshell](https://github.com/veo/vshell) - [Villain](https://github.com/t3l3machus/Villain) - [Nimplant C2](https://github.com/chvancooten/NimPlant) - [RedGuard C2](https://github.com/wikiZ/RedGuard/tree/main) - Oyster C2 - [byob C2](https://github.com/malwaredllc/byob) - Malware - AcidRain Stealer - Misha Stealer (AKA Grand Misha) - Patriot Stealer - RAXNET Bitcoin Stealer - Titan Stealer - Collector Stealer - [Mystic Stealer](https://twitter.com/_montysecurity/status/1643164749599834112) - [Gotham Stealer](https://twitter.com/FalconFeedsio/status/1705765083429863720) - [Meduza Stealer](https://twitter.com/g0njxa/status/1717563999984717991?t=rcVyVA2zwgJtHN5jz4wy7A&s=19) - Quasar RAT - ShadowPad - AsyncRAT - DcRat - BitRAT - DarkComet Trojan - XtremeRAT Trojan - NanoCore RAT Trojan - Gh0st RAT Trojan - DarkTrack RAT Trojan - njRAT Trojan - Remcos Pro RAT Trojan - Poison Ivy Trojan - Orcus RAT Trojan - ZeroAccess Trojan - HOOKBOT Trojan - [RisePro Stealer](https://github.com/noke6262/RisePro-Stealer) - NetBus Trojan - Bandit Stealer - Mint Stealer - Mekotio Trojan - Gozi Trojan - Atlandida Stealer - VenomRAT - Orcus RAT - BlackDolphin - Artemis RAT - Godzilla Loader - Jinx Loader - Netpune Loader - [SpyAgent](https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk) - [SpiceRAT](https://hunt.io/blog/the-secret-ingredient-unearthing-suspected-spicerat-infrastructure-via-html-response) - Dust RAT - Pupy RAT - Atomic Stealer - Lumma Stealer - Serpent Stealer - Axile Stealer - Vector Stealer - Mint Stealer - Z3us Stealer - Rastro Stealer - Darkeye Stealer - Agniane Stealer - Epsilon Stealer - Bahamut Stealer - [Unam Web Panel](https://github.com/UnamSanctam/UnamWebPanel) / SilentCryptoMiner - Vidar Stealer - Kraken RAT - Bumblebee Loader - Viper RAT - Spectre Stealer - Sectop RAT - Tools - [XMRig Monero Cryptominer](https://xmrig.com/) - [GoPhish](https://getgophish.com/) - [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef) - [BurpSuite](https://portswigger.net/burp) - [Hashcat](https://hashcat.net/hashcat/) - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - [EvilGoPhish](https://github.com/fin3ss3g0d/evilgophish) - [EvilGinx](https://github.com/kgretzky/evilginx2) - Botnets - [7777](https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd) - [BlackNET](https://github.com/suriya73/BlackNET) - Doxerina - Scarab - [63256](https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router) - Kaiji - MooBot - Mozi ## 本地运行 如果你想托管私有版本，请将你的 Shodan API 密钥放入名为 `SHODAN_API_KEY` 的环境变量中，并在 `CENSYS_API_ID` 和 `CENSYS_API_SECRET` 中配置你的 Censys 凭证 ``` python3 -m pip install -r requirements.txt python3 tracker.py ``` ## 贡献 如果你知道任何用于识别对手基础设施的额外 Shodan/Censys 搜索，我鼓励开启 Issue 或 PR。我不会设定严格的提交准则，但请记住，**精确度至关重要**（重点关注高真/假阳性比率）。 ## 参考 - [Hunting C2 with Shodan by Michael Koczwara](https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f) - [Hunting Cobalt Strike C2 with Shodan by Michael Koczwara](https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2) - [https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA](https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA) - BushidoToken's [OSINT-SearchOperators](https://github.com/BushidoUK/OSINT-SearchOperators/blob/main/ShodanAdversaryInfa.md) - [https://twitter.com/MichalKoczwara/status/1641119242618650653](https://twitter.com/MichalKoczwara/status/1641119242618650653) - [https://twitter.com/MichalKoczwara/status/1641676761283850241](https://twitter.com/MichalKoczwara/status/1641676761283850241) - [https://twitter.com/_montysecurity/status/1643164749599834112](https://twitter.com/_montysecurity/status/1643164749599834112) - [https://twitter.com/ViriBack/status/1713714868564394336](https://twitter.com/ViriBack/status/1713714868564394336) - [https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd](https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd) - [https://twitter.com/Glacius_/status/1731699013873799209](https://twitter.com/Glacius_/status/1731699013873799209) - [https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router](https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router)

标签：AMSI绕过, Botnet, C2 Tracker, C2日志可视化, C2服务器, EDR, ESC4, IOC, IP地址, OSINT, 威胁情报, 威胁检测, 开发者工具, 恶意软件, 指纹识别, 攻击基础设施, 数据源, 网络安全, 脆弱性评估, 逆向工具, 隐私保护, 风险识别