Open in app

Sign in

Write

Sign in

Monitoring Threat Actors Cobalt Strike C2 Infrastructure with Shodan

Michael Koczwara
3 min readSep 21, 2021

Threat Intel Tips and Shodan queries

ReliableSite, Leaseweb, ITL-Bulgaria, and HostKey Infrastructure are good examples but you can also look for and monitor other ISP’s/orgs.

ReliableSite

org:”ReliableSite.Net LLC” port:”443" HTTP/1.1 404 Not Found Content-Length: 0

Shodan Search

Search query: org:"ReliableSite.Net LLC" port:"443" HTTP/1.1 404 Not Found Content-Length: 0

www.shodan.io

examples:

Cobalt Strike C2 mubuwu.com
Cobalt Strike C2 dodefoh.com

Leaseweb

isp:”Leaseweb” port:”443" HTTP/1.1 404 Not Found Content-Length: 0 org:”Leaseweb USA, Inc.”

Shodan Search

Search query: org:"Leaseweb" port:"443" HTTP/1.1 404 Not Found Content-Length: 0 org:"Leaseweb USA, Inc."

www.shodan.io

examples:

--

--

Michael Koczwara

Written by Michael Koczwara

1.5K Followers

Threat Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams