Hey all
Came across another cool query to share with you. This time for Remcos C2’s, and was based on an initial post from drb_ra on X.
same_service(services.banner_hashes="sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" and services.tls.certificates.leaf_data.signature.self_signed=`true` and not services.tls.certificate.parsed.subject_dn:?* and not services.tls.certificate.parsed.issuer_dn:?* and services.tls.ja4s: t130200_1301_234ea6891581)
The main part of the query is this empty certificate and JA4s value. As well as an empty service header on the same port.
There’s some cool hits for Remcos with 0 VT on the C2. I haven’t been able to check all of the results yet. Although many so far are known C2’s for Remcos.