Skip to main content

 

Hey all

Came across another cool query to share with you. This time for Remcos C2’s, and was based on an initial post from drb_ra on X

same_service(services.banner_hashes="sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" and services.tls.certificates.leaf_data.signature.self_signed=`true` and not services.tls.certificate.parsed.subject_dn:?* and not services.tls.certificate.parsed.issuer_dn:?* and services.tls.ja4s: t130200_1301_234ea6891581)

The main part of the query is this empty certificate and JA4s value. As well as an empty service header on the same port. 

There’s some cool hits for Remcos with 0 VT on the C2. I haven’t been able to check all of the results yet. Although many so far are known C2’s for Remcos.
 

 

Nice find, Matt - and it sounds silly to say, but I never thought about building a query to leverage empty values in this kind of way before. Thanks for sharing!

Reply


Terms & ConditionsCookie settings