Free to use IOC feed for various tools/malware. It started out for just C2 tools but has morphed into tracking infostealers and botnets as well. It uses shodan.io/">Shodan searches to collect the IPs. The most recent collection is always stored in data
; the IPs are broken down by tool and there is an all.txt
.
The feed should update daily. Actively working on making the backend more reliable
_
_
Many of the Shodan queries have been sourced from other CTI researchers:
Huge shoutout to them!
Thanks to BertJanCyber for creating the KQL query for ingesting this feed
And finally, thanks to Y_nexro for creating C2Live in order to visualize the data
If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY
echo SHODAN_API_KEY=API_KEY >> ~/.bashrc
bash
python3 -m pip install -r requirements.txt
python3 tracker.py
I encourage opening an issue/PR if you know of any additional Shodan searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, fidelity is paramount (high true/false positive ratio is the focus).
github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting/TI%20Feed%20-%20MontySecurity%20C2%20Tracker%20All%20IPs.md
github.com/BishopFox/sliver
github.com/BushidoUK/OSINT-SearchOperators/blob/main/ShodanAdversaryInfa.md
github.com/chvancooten/NimPlant
github.com/cobbr/Covenant
github.com/DeimosC2/DeimosC2
github.com/EmpireProject/Empire
github.com/HavocFramework/Havoc
github.com/its-a-feature/Mythic
github.com/montysecurity/C2-Tracker
github.com/nettitude/PoshC2
github.com/sweetsoftware/Ares
github.com/YoNixNeXRo/C2Live