nwiecz/C2IntelFeedsFGT

GitHub: nwiecz/C2IntelFeedsFGT

基于 Censys 扫描数据自动生成的 C2 威胁情报订阅源,专为 Fortigate 防火墙的 IP 和域名威胁_feed_功能优化格式。

Stars: 5 | Forks: 0

# C2IntelFeedsFGT 基于 https://github.com/drb-ra/C2IntelFeeds,自动创建的针对 Fortigate `IP Address Threat Feed` 和 `Domain Name Threat Feed` 优化的 C2 Feeds。 [![Release](https://static.pigsec.cn/wp-content/uploads/repos/2026/03/fb41b01898025655.svg)](https://github.com/nwiecz/C2IntelFeedsFGT/actions/workflows/update_csv.yml) # C2IntelFeeds 自动创建的 C2 Feeds | 亦通过 [@drb_ra](https://twitter.com/drb_ra) 发布 * Feeds (原始数据来源 Censys - https://censys.io/ ) \ **Search 2.0** 极大地提高了非标准端口的检测率。**干得漂亮 Censys 团队!** 默认情况下,过去 7 天内活跃的 C2 会被添加到主订阅文件中。此外还有一个 30 天的订阅源,包含过去 30 天内检测到的活跃 C2。 * `C2 IPs` - 活跃 C2 IP(无前端或 CDN IP - 全部为恶意) * `C2 Domains` - 从植入程序中提取的所有域名,包括域前置值和伪造的 Host 头(大量滥用 MS、Apple 和 Google)。 * `C2 Domains Filtered` - 排除了几个被滥用于域前置的域名,以及针对热门站点的伪造头。当前过滤列表请见:`exclusions.rex` 文件 * `C2 Domains with URL` - 与域名和过滤域名相同,但增加了一列包含 C2 的 URI 路径 * `C2 Domains with URL and IP` - 与域名和过滤域名相同,但增加了两列,分别包含 C2 的 URI 路径和 C2 IP * `Unverified C2 IPs` - 仅基于 Censys 搜索/查询的活跃 C2 IP,无法轻松进行验证或提取进一步配置。但其中一些非常准确。详情见下表。 **注意:** 鉴于 Threatfox 提交的问题,我们现在发布了 4 个额外的文件。这些文件包含所有基于 IP 的订阅源(7 天和 30 天的 IP 及未验证 IP)的 IP 和目标端口对。 # Censys 搜索 | 工具 | ```Censys Search```| |------|:------------| |[Sliver](https://github.com/BishopFox/sliver) |`(services.tls.certificates.leaf_data.subject.common_name="multiplayer" and same_service(services.jarm.fingerprint= 00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01 and NOT services.port=31337 )) OR (services.banner_hashes="sha256:1f25c454ae331c582fbdb7af8a9839785a795b06a6649d92484b79565f7174ae" and services.jarm.fingerprint=3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910) OR same_service(services.tls.certificates.leaf_data.pubkey_bit_size: 2048 and services.tls.certificates.leaf_data.subject.organization: /(ACME\|Partners\|Tech\|Cloud\|Synergy\|Test\|Debug)? ?(co\|llc\|inc\|corp\|ltd)?/ and services.jarm.fingerprint: 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 and services.tls.certificates.leaf_data.subject.country: US and services.tls.certificates.leaf_data.subject.postal_code: /<1001-9999>/)`| |[Covenant](https://github.com/cobbr/Covenant) |`same_service(services.tls.certificates.leaf_data.subject_dn="CN=Covenant" AND services.tls.certificates.leaf_data.issuer_dn="CN=Covenant") OR (services.software.product="Kestrel web server" AND services.http.response.html_title="Covenant")`| |[Brute Ratel C4](https://bruteratel.com) |`services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30" OR same_service(services.http.response.body_hash="sha1:bc3023b36063a7681db24681472b54fa11f0d4ec" and services.jarm.fingerprint="3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e")`| |[Mythic](https://github.com/its-a-feature/Mythic) |`same_service(services.tls.certificates.leaf_data.subject_dn="O=Mythic" AND services.http.response.html_title="Mythic") OR services.banner_hashes="sha256:fb8b5d212f449a8ba61ab9ed9b44853315c33d12a07f8ce4642892750e251530" OR services.http.response.favicons.md5_hash="6be63470c32ef458926abb198356006c"`| |[Deimos](https://github.com/DeimosC2/DeimosC2)|`services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64" OR same_service(services.banner_hashes="sha256:38ea755e162c55ef70f9506dddfd01641fc838926af9c43eda652da63c67058b" and services.http.response.body_hashes="sha1:04ca7e137e1e9feead96a7df45bb67d5ab3de190" and services.tls.certificates.leaf_data.subject_dn="O=Acme Co" and services.tls.certificates.leaf_data.issuer_dn="O=Acme Co" and not services.tls.certificates.leaf_data.names="127.0.0.1:3000")`| |[Nighthawk C2](https://www.mdsec.co.uk/nighthawk/) |`same_service(services.banner="HTTP/1.1 404 Not Found\r\nDate: \r\nX-Test: 2\r\nServer: Apache\r\nContent-Length: 20\r\n" and services.http.response.body_hashes="sha256:d872e8e4176213ea84ebc76d8fb621c31b4ca116fd0a51258813e804fe110ca4")`| |Bianlian Go Trojan |`same_service(services.tls.certificates.leaf_data.subject_dn=/C=[0-9a-zA-Z]{16}, O=[0-9a-zA-Z]{16}, OU=[0-9a-zA-Z]{16}/ AND services.tls.certificates.leaf_data.issuer_dn=/C=[0-9a-zA-Z]{16}, O=[0-9a-zA-Z]{16}, OU=[0-9a-zA-Z]{16}/)`| |[Havoc](https://github.com/HavocFramework/Havoc) |`same_service(services.tls.certificates.leaf_data.issuer.organization=/(Acme\|ACME\|acme\|Partners\|PARTNERS\|partners\|Tech\|TECH\|tech\|Cloud\|CLOUD\|cloud\|Synergy\|SYNERGY\|synergy\|Test\|TEST\|test\|Debug\|DEBUG\|debug)? ?(Co\|CO\|co\|Llc\|LLC\|llc\|Inc\|INC\|inc\|Corp\|CORP\|corp\|Ltd\|LTD\|ltd)?/ AND services.tls.certificates.leaf_data.issuer.country=US AND services.tls.certificates.leaf_data.issuer.postal_code=/[0-9]{4}/) OR services.http.response.headers.unknown.name: "X-Havoc" OR services.banner_hashes="sha256:f5a45c4aa478a7ba9b44654a929bddc2f6453cd8d6f37cd893dda47220ad9870"`| |[Responder](https://github.com/lgandx/Responder) |`services.banner="HTTP/1.1 401 Unauthorized\r\nServer: Microsoft-IIS/7.5\r\nDate: \r\nContent-Type: text/html\r\nWWW-Authenticate: NTLM\r\nContent-Length: 0\r\n" OR services.banner_hashes="sha256:0fa31c8c34a370931d8ffe8097e998f778db63e2e036fbd7727a71a0dcf5d28c" OR services.smb.negotiation_log.server_guid="00000000000000000000000000000000ee85abf7eaf60c4f928192476deb76a9"`| |[Pupy RAT](https://github.com/n1nj4sec/pupy)|`same_service(services.http.response.headers.Etag:"aa3939fc357723135870d5036b12a67097b03309" AND services.http.response.headers.Server="nginx/1.13.8") OR same_service(services.tls.certificates.leaf_data.issuer.organization:/[a-zA-Z]{10}/ AND services.tls.certificates.leaf_data.subject.organization:/[a-zA-Z]{10}/ AND services.tls.certificates.leaf_data.subject.organizational_unit="CONTROL")`| |Qakbot|`same_service(services.jarm.fingerprint={"21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21","04d02d00004d04d04c04d02d04d04d9674c6b4e623ae36cc2d998e99e2262e"} AND services.http.response.body_hash="sha1:22e5446e82b3e46da34b5ebce6de5751664fb867") OR same_service(services.banner_hashes="sha256:5234096d7003929ad67037af6f5816933cab9e85f9b286468249ac9ab9bfb861" AND services.http.response.body_hash="sha1:22e5446e82b3e46da34b5ebce6de5751664fb867") OR (services.tls.certificates.leaf_data.subject_dn: /C=[A-Z]{2}, OU=([A-Z][a-z]{3,})( [A-Z][a-z]{3,}){0,2}, CN=[a-z]{4,12}\.[a-z]{2,4}/ and not services.tls.certificates.leaf_data.subject_dn:"OU=Domain Control Validated")`| |[DcRat](https://github.com/qwqdanchun/DcRat)|`services.tls.certificates.leaf_data.issuer_dn="CN=DcRat Server, OU=qwqdanchun, O=DcRat By qwqdanchun, L=SH, C=CN"`| |Viper|`services.http.response.body_hashes="sha1:cd40dbcdae84b1c8606f29342066547069ed5a33" OR services.http.response.favicons.md5_hash="a7469955bff5e489d2270d9b389064e1"`| |[Supershell](https://github.com/tdragon6/Supershell/)|`services.http.response.html_title="Supershell - 登录" OR services.http.response.body_hashes="sha256:21ec9c71669486c5b874b1be3b9c341133e83939fdbeefa2080df1b1703c4928"`| |Pikabot|`services: (tls.certificates.leaf_data.signature.self_signed: true and http.response.headers: (key: "Etag" and value.headers: '"3147526947+gzip"') and not tls.certificate.parsed.subject_dn: "emailAddress=") or services: (tls.certificates.leaf_data.signature.self_signed: true and tls.cipher_selected="TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" and tls.certificates.leaf_data.pubkey_bit_size=4096 and tls.certificates.leaf_data.issuer_dn: /C=[A-Z]{2}, ST=[A-Z]{2}, O=([A-Z][a-z]{2,})( [A-Z][a-z\.]{2,}){0,5}, OU=([A-Z][a-z]{2,})( [A-Z][a-z\.]{2,}){0,5}, L=([A-Z][a-z]{2,})( [A-Z][a-z]{2,}){0,2}, CN=.*/)`| |Meduza Stealer|services.http.response.html_title="Meduza Stealer" OR services.http.response.favicons.md5_hash="e7a2bb050f7ec5ec2ba405400170a27d"`| |[Evilginx/EvilGoPhish](https://help.evilginx.com)|`services.software.product: {Evilginx, EvilGoPhish}`| |Hookbot/Pegasus|`services.http.response.html_title="HOOKBOT PANEL" OR services.http.response.favicons.hashes="sha256:b13b77f0b3d95c1146394ea855d915f189d3ea374179755cfb2ac47bfc8f306c"`| |[AsyncRAT](https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp)|`same_service(services.tls.certificates.leaf_data.issuer_dn="CN=AsyncRAT Server" and services.tls.certificates.leaf_data.subject_dn="CN=AsyncRAT Server")`| |[Remcos](https://breakingsecurity.net/remcos/)|`same_service(services.tls.versions.ja4s="t130200_1301_234ea6891581" and services.tls.ja3s="eb1d94daa7e0344597e756a1fb6e7054" and services.tls.cipher_selected="TLS_AES_128_GCM_SHA256" and services.jarm.fingerprint: 00000000000000000041d41d0000001798d6156df422564fb9b667b7418e4c and services.service_name="UNKNOWN" and services.tls.certificates.leaf_data.issuer_dn="" and services.tls.certificates.leaf_data.subject_dn="")`| |DanaBot|`[REDACTED]`| |Rhysida Trojan|`[REDACTED]`| |[Oyster Backdoor](https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/)|`[REDACTED]`| |SocGholish|`[REDACTED]`| |[NetSupport Manager RAT](https://www.netsupportmanager.com)|`services.http.response.headers.Server="NetSupport Gateway/*"`| |[Geacon_Pro](https://github.com/testxxxzzz/geacon_pro)|`same_service(services.tls.certificates.leaf_data.subject_dn="C=KZ, ST=KZ, L=, O=NN Fern Sub, OU=NN Fern, CN=foren.zik" AND services.tls.certificates.leaf_data.issuer_dn="C=KZ, ST=KZ, L=, O=NN Fern Sub, OU=NN Fern, CN=foren.zik")`| |[Hak5 Cloud C2](https://shop.hak5.org/products/c2)|`services.software.product: "cloud c2" and services.software.vendor="Hak5"`| |[CHAOS](https://github.com/tiagorlampert/CHAOS)|`services.software.uniform_resource_identifier: "cpe:2.3:a:chaos:chaos:*:*:*:*:*:*:*:*"`| |[Interactsh](https://github.com/projectdiscovery/interactsh)|`services.software.uniform_resource_identifier: "cpe:2.3:a:interactsh:interactsh:*:*:*:*:*:*:*:*"`| |[Reverse SSH](https://github.com/NHAS/reverse_ssh)|`[REDACTED]`| |[wstunnel](https://github.com/erebe/wstunnel)|`[REDACTED]`| |[Ligolo-ng](https://github.com/nicocha30/ligolo-ng)|`[REDACTED]`| |Ransomhub Python C2|`[REDACTED]`| |[Pyramid](https://github.com/naksyn/Pyramid)|`[REDACTED]`| **注意:** 最后 3 个条目是也可能用于合法目的的工具。请验证您的命中结果或根据需要在本地进行过滤。 # 更多详情 对于大多数用户来说,最容易使用的文件应该是 [C2 IPs](https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s.csv)、[C2 Domains Filtered](https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2s-filter-abused.csv) 和 [Unverified C2 IPs](https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/unverified/IPC2s.csv) 或其 30 天对应的版本。 * VPN * Nord VPN 出口节点 * Proton VPN 入口及出口节点 * C2_configs * 详细的 CobaltStrike 配置(CSV 和 JSON 格式),包含以下字段: `FirstSeen,ip,ASN,BeaconType,C2Server,Port,SleepTime,Jitter,Proxy_Behavior,HostHeader,CertificateNames,HttpGet_Metadata,HttpPostUri,HttpPost_Metadata,KillDate,PipeName,UserAgent,Watermark,DNS_Idle,DNS_Sleep` IP 反映的是真实的 C2 IP,而不是 beacon 配置中提供的 IP。 * 版本 2 包含 3 个额外字段 `SpawnToX86,SpawnToX64,PublicKey` * 还有一个仅限 JSON 的 30 天版本,包含过去 30 天内的首次和最后一次发现日期。 * Powershell Empire 和 PoSHC2 也有 JSON 格式可用。 Creative Commons License
本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。
标签:C2服务器, Fortigate, IP 地址批量处理, IP黑名单, PB级数据处理, SecOps, Sliver, 云安全架构, 命令与控制, 域名前置, 域名黑名单, 威胁情报, 威胁源, 安全运维, 底层编程, 开发者工具, 恶意软件, 情报订阅, 网络安全, 网络调试, 自动化, 防火墙, 隐私保护