Hunting Cobalt Strike C2 with Shodan | by Michael Koczwara | Medium

Member-only story
Hunting Cobalt Strike C2 with Shodan
Michael Koczwara
·Follow
2 min read·
Sep 7, 2021
--
Cobalt Strike C2 Hunting
Four techniques:
Default certificate.
Hash + 50050 port (FP filtering is required).
JARM (FP filtering is required).
ASN/ISP scanning (this one is handy for subnet pivoting).
You can read my Twitter thread where I explained the logic behind each technique.
Short summary and results:
Default certificate
ssl.cert.serial:146473198
Shodan SearchSearch Engine for the Internet of Things
www.shodan.io
725 hits
ssl.cert.serial:146473198Hash + 50050 port
hash:-2007783223 port:”50050"
--
--
Written by Michael Koczwara1.6K Followers
·72 Following
Threat Researcher
No responses yet
Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams