Use Searching Engines to Hunt For Threat Actors>
Medium – Gustav Shen
As a red team operator, I fully understand the importance of OPSEC. Although I am not a threat-hunting expert, utilizing threat intelligence to track and locate other hackers and observing their mistakes can help enhance my own OPSEC awareness, allowing me to avoid low-level mistakes. The threat intelligence community boasts numerous outstanding threat hunters, such as Michael Koczwara, whose articles have provided me with significant insights. These threat hunters expose threat actorsâ infrastructure IPs and domain names, assisting in enriching blacklists for both individuals and cybersecurity products. This article (https://bank-security.medium.com/hunting-cobalt-strike-servers-385c5bedda7b) explains how to use different methods, such as default Cobalt Strike certificates and default 404 responses, to search for Cobalt Strike servers on the internet using the Shodan search engine. Other articles, like https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f, analyze the characteristics of C2 servers beyond Cobalt Strike and how to locate them using search engines. There is a wide variety of internet asset search engines available, such as Shodan, Censys, Zoomeye, and Fofa. However, when it comes to locating threat actor servers with open directory configurations, my personal choice is the Quake search engine. Threat actors tend to prefer setting up temporary HTTP file servers using Python due to its simplicity and convenience. However, sometimes they forget to shut down the Python HTTP server promptly, leaving traces we can track. Filtering by HTTP response is relatively straightforward; we can enter the name of any security tool or malware, such as Mimikatz, Cobalt Strike, or Rubeus. Some query examples: title: âDirectory listing for /â and response:âcobaltstrikeâ
Link: https://gustavshen.medium.com/use-searching-engines-to-hunt-for-threat-actors-74be52976e9f