Hunting C2 Panels! (Mythic, Cobalt Strike, AsyncRat, Supershell Sliver C2)
Hunting C2 Panels! (Mythic, Cobalt Strike, AsyncRat, Supershell Sliver C2)
This article was written by our student Mehmet Akif Aydogmus.
Overview of C2 Panels
C2 panels are interfaces that cyber attackers use to remotely control their malware. These panels allow attackers to send the necessary commands to enter the victim’s system, steal data, download files or perform malicious actions such as ransomware. So how do C2 panels work?
A C2 panel is a web-based interface, usually hosted by the attacker. Using this panel, the attacker sends commands to the victim’s computer or devices on its network. These commands can control devices that are part of a botnet, download a specific file, or update malware.
Step by Step C2 Panel Operation:
1. Infection Phase: First, a malware or exploit infects the victim’s system. This infection occurs through methods such as phishing emails, drive-by download attacks, or exploiting vulnerabilities.
2. Connection Establishment: The infected device sends a “ping” to the C2 panel and comes under the control of the attacker. At this stage, the device connects to the C2 infrastructure and becomes ready to receive the attacker’s commands.
3. Command Phase: The attacker starts sending commands to the victim’s device through the C2 panel. These commands can be various malicious activities such as stealing data, modifying system files, or using the device in an attack.
4. Data Collection and Transmission: The data obtained from the victim’s device is transmitted to the attacker through the C2 panel. This data can be user information, passwords or financial information.
The presence of C2 panels has many critical benefits to the cyber security ecosystem. Here are some of these benefits:
1. Early Detection and Interception of Attacks:
C2 panels are the central command points of threat actors. Detection of these panels can prevent further spread and damage of malware and action by identifying the attack in its early stages. Thus, attacks can be stopped more effectively and cyber security teams can isolate and clean the malware.
2. Monitoring the Attacker’s Activities:
The presence of C2 panels allows for closer monitoring of the attacker’s activities. Through these panels, Threat Hunters and CTI teams can understand what commands the attacker sends and what actions they perform on the targeted systems. This information is critical to understanding the attacker’s strategies and goals.
3. Enriching Cyber Threat Intelligence:
Detection of C2 panels provides valuable information for cyber threat intelligence. Domains, IP addresses, type of malware and other technical details used in the panels can be added to threat intelligence databases. This information helps to strengthen defences against similar attacks in the future and supports threat sharing with other organisations.
4. Taking Precautions Against Chain Attacks:
Detection of a C2 panel not only stops a single attack; but also attacks against other targets using the same infrastructure can be prevented. This neutralises the attacker’s operations on a large scale and breaks the attack chain.
5. Improvement of Security Infrastructure:
Detection of C2 panels allows lessons to be learnt for the development of cyber security infrastructures. The information obtained through the detected panel helps to improve vulnerabilities and develop strategies to prevent similar attacks in the future.
6. Strengthening Network and System Defences:
C2 panel detection provides insights into how network and system defences should be strengthened. Knowing how these panels are hidden or how they communicate enables security teams to configure IDS/IPS (Intrusion Detection/Prevention Systems) and firewall rules more effectively.
In this article, I will briefly introduce some of the C2 panels (Mythic, Cobalt Strike, AsyncRat, Supershell, Sliver C2) and then show how to discover them and queries that can be used in Shodan, Censys search engines.
What is Mythic C2 Panel and How Does It Work?
Mythic C2 Panel is an open source and modular command and control (C2) platform designed for cyber security and red team operations. Mythic C2 is widely used by cyber security experts and red team operators to conduct attack simulations, vulnerability assessments and penetration tests.
A few of the main objectives of the Mythic C2 panel are to provide operators with a quality tool to make their jobs easier, ensure the sustainability of intermediaries, enable customisations that can be shaped according to needs, and provide more robust data analytics for operations.
Basically, Mythic C2 panel uses React as front-end technology and Docker containers as back-end technology. A GoLang server handles most of the web requests with GraphQL APIs and WebSockets.
You can understand it in more detail by examining this flow.
Mythic C2 panel Github: https://github.com/its-a-feature/Mythic
Mythic C2 Gitbook: https://docs.mythic-c2.net/
MITRE ATT&CK Page: https://attack.mitre.org/software/S0699/
Our first goal should be to collect the necessary information for querying. The most important step we need to do here will actually be to examine the source codes of C2 and extract clues. However, since all of the C2s mentioned in this article are analyzed and the relevant tips are given in the reports, we will be using this information directly.
Basically, it is to search on Censys or Shodan with the information we obtain from reports or IOC sources and obtain more key information on the target we have captured with Censys or Shodan. Writing new queries according to the information obtained and capturing other C2 panels.
Firstly, with the information we obtained by researching for the Mythic C2 panel and looking at sample panel photos from X
services.http.response.html_title:"Mythic"
We write a query in the form. The following image can explain the general logic of queries on Censys very well.
Then we come to the port number where Mythic is installed on the IP address I found and click the button I marked.
On the screen that opens, you will see the fields marked with red boxes and more. The information about what these mean is given below.
services.http.response.protocol- Value:
HTTP/1.1 - This indicates the version of the HTTP protocol being used in the server’s response. HTTP/1.1 is a widely used version of the protocol, supporting persistent connections, chunked transfer encoding, and other features.
- Value:
services.http.response.status_code- Value:
200 - This is the HTTP status code indicating the result of the request. A status code of 200 means the request was successful, and the server is returning the requested resource.
- Value:
services.http.response.status_reason- Value:
OK - This is the textual reason associated with the status code. “OK” confirms that the request was successfully processed.
- Value:
services.http.response.headers.Server- Value:
nginx/1.25.5 - This header indicates the software running on the server, which in this case is Nginx, a popular web server, version 1.25.5. Knowing the server software version can be useful for identifying potential vulnerabilities.
- Value:
services.http.response.headers.Content_Length- Value:
585 - This header specifies the size of the response body in bytes, which is 585 bytes. It helps clients understand the length of the data being transmitted.
- Value:
services.http.response.headers.Content_Type- Value:
text/html - This header tells the client what type of content is being returned.
text/htmlindicates that the content is HTML, which is typical for web pages.
- Value:
services.http.response.headers.Accept_Ranges- Value:
bytes - This header indicates that the server supports partial requests, allowing clients to request only a portion of a file. This is useful for resuming interrupted downloads.
- Value:
services.http.response.headers.Connection- Value:
keep-alive - This header indicates that the connection between the client and server should be kept open for further requests, rather than closing it after the response is sent.
- Value:
services.http.response.headers.Date- Value:
<REDACTED> - This header provides the date and time when the response was generated by the server. In this case, it’s redacted, possibly for privacy or security reasons.
- Value:
services.http.response.headers.ETag
- Value:
"66aff2b5-249" - The ETag (Entity Tag) is a unique identifier for the specific version of a resource. It helps with caching and determining if the resource has changed since the last request.
services.http.response.headers.Last_Modified
- Value:
Sun, 04 Aug 2024 21:29:25 GMT - This header indicates the last time the resource was modified. It’s useful for caching and ensuring the client has the latest version of the resource.
services.http.response.html_tags
- Value:
<title>Mythic</title> - This indicates the HTML title tag in the response, which sets the title of the webpage. The value “Mythic” suggests that this page is related to the Mythic C2 server.
services.http.response.html_tags
- Value:
<meta charset="utf-8"/> - This meta tag specifies the character encoding for the HTML document. UTF-8 is a common character set that supports many languages and symbols.
services.http.response.html_tags
- Value:
<meta name="viewport" content="width=device-width,initial-scale=1"/> - This meta tag controls the layout on mobile browsers by setting the viewport’s width and initial scale. It helps make the page responsive.
services.http.response.html_tags
- Value:
<meta name="theme-color" content="#000000"/> - This meta tag sets the theme color of the browser’s user interface elements for the web page. In this case, it sets the color to black (
#000000).
services.http.response.body_size
- Value:
585 - This field confirms that the total size of the response body is 585 bytes, matching the Content-Length header. This is the actual size of the data being transferred.
By clicking on the search buttons next to these fields, you can search for that query on Censys and in this way, you can both get more C2 results and get more filtered and accurate results.
The following heading contains some of the results we have found.
Mythic C2 Censys Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Issuer Organization | services.tls.certificates.leaf_data.issuer.organization=”Mythic” | 66 |
| Content-Lenght ve html_title | services.http.response.headers: (key: Content-Length and value.headers: 585) and services.http.response.html_title:”Mythic” |
65 |
| Response html tags | services.http.response.html_tags=”Mythic” | 66 |
| Favicon md5 Hash | services.http.response.favicons.md5_hash=”6be63470c32ef458926abb198356006c” | 65 |
| Resource Identifier | services.software.uniform_resource_identifier=”cpe:2.3:a:mythic:mythic:*:*:*:*:*:*:*:*” | 88 |
| Software Vendor | services.software.vendor=”Mythic” | 88 |
| Software Product | services.software.product=”Mythic” | 88 |
| HTML Title | services.http.response.html_title=”Mythic” | 66 |
| Certificates Data Subject | services.tls.certificates.leaf_data.subject_dn=”O=Mythic” | 67 |
Mythic C2 Shodan Queries
The logic of Shodan is almost the same as Censys. An important change is the query syntax.
In Shodan, a query is written with the simplest and most basic information known and the result is obtained. Query for this example:
http.title:"Mythic"
Then, by coming to the Advenced Search section in Shodan and filling in the text-fields here according to the information you have obtained, you can reach the other C2 panels you cannot reach.
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| HTTP Title | http.title:”Mythic” | 136 |
| HTML Hash | http.html_hash:-1683877216 | 60 |
| Favicon Hash | http.favicon.hash:-859291042 | 79 |
Mythic Shodan.io Queries
Cobalt Strike C2 Panel
Cobalt Strike is a commercial attack simulation tool used in cyber security for red team operations, penetration tests and Advanced Persistent Threat (APT) simulations. This tool offers a wide set of tools that allow cyber attacks to be simulated realistically. Cobalt Strike is particularly popular among red team operators and cyber security experts, but is also widely used by malicious attackers.
Cobalt Strike: https://www.cobaltstrike.com/product/features
MITRE ATT&CK Page: https://attack.mitre.org/software/S0154/
On Cobalt Strike servers in general, many threat actors prefer to use free versions in Telegram groups. In these versions, the CN information of the SSL certificate contains the name of the group that distributes the free version. In this article, we will both proceed through this and base on the CN information in the paid version.
After downloading this free version, two folders, Client and Server, will welcome us. The Server folder, which is server-side from these files, is the part that interests us. Let’s look carefully at the creation of the SSL certificate in the “teamserver” Bash script here.
As can be seen in the image, we can see that 4 servers are using the free version of Cobalt Strike on Telegram.
In general, let’s take a look at the Cobalt Strike C2 panel, which is very popular for Cobalt Strike Beacon servers to include non-UTF-8 characters in the HTML page.
Cobalt Strike Censys Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Software Uniform Resource Identifier | services.software.uniform_resource_identifier=”cpe:2.3:a:fortra:cobalt_strike:*:*:*:*:*:*:*:*” | 693 |
| Software Vendor | (services.software.vendor=”Fortra”) and labels=c2 |
693 |
| Software Product | services.software.product=”Cobalt Strike” | 693 |
| Data Subject | services.tls.certificates.leaf_data.subject_dn=”C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike” | 182 |
| Common Name | services.tls.certificates.leaf_data.issuer.common_name=”Major Cobalt Strike” | 183 |
Cobalt Stirke Censys Sorguları
Cobalt Strike Shodan Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| SSL CN | ssl.cert.subject.cn:”Major Cobalt Strike” | 16 |
| Product | product:”Cobalt Strike” | 951 |
| Name | Cobalt Strike | 748 |
Cobalt Strike Shodan.io Sorguları
In addition, Cobalt Strike is used by many APT groups. Information about this is given below.
AsyncRat
AsyncRAT is a popular Remote Access Trojan (RAT), a Remote Access Trojan used by cyber attackers. This type of software allows attackers to remotely control target computers or networks. AsyncRAT is particularly prevalent among malicious actors and is used in cyberattacks to gather confidential information, steal data, and damage systems.
AsyncRat Censys Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Software Uniform Resource Identifier | services.software.uniform_resource_identifier=”cpe:2.3:a:asyncrat:asyncrat:*:*:*:*:*:*:*:*” | 112 |
| Software Vendor | services.software.vendor=”AsyncRAT” | 112 |
| Data Subject | services.tls.certificates.leaf_data.subject_dn=”CN=AsyncRAT Server” | 112 |
AsyncRat Censys Queries
AsyncRat Shodan Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Product Name | product:AsyncRat | 25 |
| SSL Cert Issuer | ssl.cert.issuer.cn:”AsyncRAT Server” | 25 |
| SSL Cert Subject | ssl.cert.subject.cn:”AsyncRAT Server” | 25 |
AsyncRat Shodan.io Sorguları
In addition, AsyncRat is registered only by the APT group.
| ID | Name | References |
|---|---|---|
| G1018 | TA2541 | [5][1][2][3] |
Supershell
Supershell is a Command and Control (C2) panel used for various cyber attacks and malware operations. Such panels allow attackers to remotely manage and control malicious software. Supershell is especially preferred by attackers because it has advanced features and a user-friendly interface.
Supershell – 登录 Censys Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Label and Name | (supershell) and labels=c2 |
179 |
| Html Tags | services.http.response.html_tags=”Supershell – 登录” | 178 |
| Favicon md5 Hash | services.http.response.favicons.md5_hash=”cb183a53ebfc2b61b3968c9d4aa4b14a” | 176 |
| Http Response Body Hash | services.http.response.body_hashes=”sha256:6084d5352ce347a3f6b9f7b789acc8b422b748a0cd99549f2ea534e439b8999b” | 160 |
| Http Title | services.http.response.html_title=”Supershell – 登录” | 178 |
| Uniform Resource Identifier | services.software.uniform_resource_identifier=”cpe:2.3:a:supershell:supershell:*:*:*:*:*:*:*:*” | 179 |
| Software Vendor | services.software.vendor=”Supershell” | 179 |
| Software Product | services.software.product=”Supershell” | 179 |
| Response Body Size ve Html Title | services.http.response.body_size=”3363″ and services.http.response.html_title:”Supershell – 登录” | 160 |
Supershell – 登录 Censys Queries
Supershell – 登录 Shodan Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| HTML Title | http.title:”Supershell – 登录” | 175 |
| HTML Hash | http.html_hash:84573275 | 154 |
| Favicon Hash | http.favicon.hash:-1010228102 | 174 |
| HTML Content | http.html:”Supershell – 登录” | 175 |
Supershell – 登录 Shodan.io Queries
Sliver C2
Sliver is a modern and powerful Command and Control (C2) framework. It is often used by cyber security experts in red team operations and threat hunting processes. Sliver, an open source project written in Golang, was developed to test various attack vectors, especially during attack simulations and penetration tests. Sliver’s flexible and modular structure makes it a popular tool among security experts. It uses port 31337 by default.
It can be examined in more detail at https://sliver.sh.
APT Groups Using Sliver C2
| ID | Name | References |
|---|---|---|
| G1021 | Cinnamon Tempest | [13] |
| G0016 | APT29 | [3][14] |
APT Groups Using Sliver C2
Sliver C2 Censys Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Port and label | (services.port:31337 ) and labels=c2 |
129 |
| Uniform Resource Identifier | services.software.uniform_resource_identifier=”cpe:2.3:a:sliver:sliver:*:*:*:*:*:*:*:*” | 205 |
| Software Vendor | services.software.vendor=”Sliver” | 205 |
| Software Product | services.software.product=”Sliver” | 205 |
Sliver C2 Shodan Queries
| QUALITY | QUERY | NUMBER OF INDEXED RESULTS |
|---|---|---|
| Port and Product | port:31337 product:”Sliver C2″ | 425 |
| Product | product:”Sliver C2″ | 427 |
| Product, Subject, Issuer | product:”Sliver C2″ ssl.cert.subject.cn:multiplayer ssl.cert.issuer.cn:operators | 429 |
That was it in this article, we tried to tell you how to find the C2 panels in general.
