AI Architecture Analysis
This repository is indexed by RepoMind. By analyzing drb-ra/C2IntelFeeds in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.
Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.
Embed this Badge
Showcase RepoMind's analysis directly in your repository's README.
Repository Overview (README excerpt)
Crawler viewC2IntelFeeds Automatically created C2 Feeds | Also posted via @drb_ra **This would not be possible without Source/Raw Data courtesy of Censys** - https://censys.io/ **C2IntelFeeds** is a collection of automatically generated **Command-and-Control (C2) threat intelligence feeds** derived from large-scale internet scanning data (primarily Censys). These feeds are intended for **defenders** and are suitable for: • Threat hunting • Network monitoring • Detection engineering • IOC enrichment • Defensive blocking or alerting The project focuses on identifying **real C2 infrastructure**, not malware samples. --- 🔍 What This Repository Provides This repository contains multiple **plain-text, CSV, and JSON feeds** listing suspected or confirmed C2 infrastructure, including: • C2 IP addresses • C2 domains and hostnames • Domains with C2 URL paths • IP + port combinations • C2 configuration metadata (when available) Feeds are updated automatically and primarily reflect **recent activity**. --- ⏱️ Time Windows Most feeds are available in two time ranges: • **7-day feeds** (default) • **30-day feeds** (historical context) • **90-day feeds** (long-term context) The time window refers to **last observed activity**, not creation date. --- 📁 Feed Types ✅ Verified Feeds (Preferred) These feeds have undergone additional validation and **exclude known benign infrastructure**. | Feed | Description | |----|----| | **C2 IPs** | Validated C2 server IP addresses | | **C2 Domains** | Domains extracted from known C2 implants | | **C2 Domains (Filtered)** | Same as above, with high-false-positive domains removed | | **C2 Domains + URL** | Domains with specific C2 URI paths | | **C2 Domains + URL + IP** | Domains, paths, and resolved IPs | --- ⚠️ Unverified Feeds These feeds are generated from fingerprint matches but **may contain false positives**. | Feed | Description | |----|----| | **Unverified C2 IPs** | Potential C2 IPs based on scan artifacts | | **Unverified C2 Domains** | Potential C2 domains | | **IP + Port Pairs** | Destination IP and port combinations | > ⚠️ **Use unverified feeds cautiously**. Local validation is strongly recommended. --- 🧬 C2 Configuration Data Where possible, extracted **C2 configuration metadata** is included in CSV and JSON formats. Typical fields may include: • First seen timestamp • True C2 IP (actual listener) • Port, jitter, sleep time • ASN and network information • HTTP host headers • TLS certificate data • User-agent strings • Optional public keys (JSON) Both **standard** and **30-day** variants may be available. --- 🛰️ How the Data Is Generated Feeds are built using **Censys search queries** designed to detect known C2 frameworks by fingerprinting: • TLS certificate fields • JARM fingerprints • HTTP response headers and titles • Body hashes • Service banners • Known implant artifacts Censys Searches | Tool | | |------|:------------| |Sliver | | |Covenant | | |Brute Ratel C4 | | |Mythic | | |Deimos| | |Nighthawk C2 | | |Bianlian Go Trojan | | |Havoc | | |Responder | | |Pupy RAT| | |Qakbot| | |DcRat| | |Viper| | |Supershell| | |Pikabot| | |Meduza Stealer| | |Evilginx/EvilGoPhish| | |Hookbot/Pegasus| | |AsyncRAT| | |Remcos| | |DanaBot| | |Rhysida Trojan| | |Oyster Backdoor| | |SocGholish| | |NetSupport Manager RAT| | |Geacon_Pro| | |Hak5 Cloud C2| | |CHAOS| | |Interactsh| | |Reverse SSH| | |wstunnel| | |Ligolo-ng| | |Ransomhub Python C2| | |Pyramid| | |VPN Themed Phishing| | |StealC v2| | |AdaptixC2| | |Matanbuchus| | |Pywssocks| | 🧹 False-Positive Reduction The repository includes an exclusion file: **exclusions.rex** This file removes: • Known CDN/domain-fronting services • Common shared hosting providers • Frequently benign infrastructure Filtered feeds apply these exclusions automatically. --- 🧠 How to Use These Feeds These feeds are suitable for: • **SIEM ingestion** (Splunk, Sentinel, Elastic, etc.) • **EDR enrichment** • **Threat hunting queries** • **Network detections** • **Firewall / proxy monitoring** • **IOC correlation pipelines** They are intentionally provided in **simple formats** to ease automation. The easiest files for most of you to use should be C2 IPs, C2 Domains Filtered and Unverified C2 IPs or their 30 day counterparts. --- 🌐 VPN & Proxy Lists Separate feeds include known: • VPN exit nodes • Residential proxy networks These can help: • Reduce noise in detections • Add context to outbound traffic • Identify infrastructure abuse --- 📜 License This project is licensed under: **Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)** • Attribution required • Non-commercial use only • Share alike for derivatives --- ⚠️ Disclaimer These feeds are provided **as-is** for defensive and research purposes. • No guarantee of accuracy or completeness • Infrastructure may be compromised, misattributed, or reused • Always validate before taking action --- **If you find this project useful, attribution is appreciated.** This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License .