Hunting for Empire C2 with Shodan

Published by Reza Rafati on

In this post, I will take a dive with you into hunting for Empire C2 servers with Shodan. PowerShell Empire was created by Veris Group security practitioners Will Schroeder, Justin Warner, Matt Nelson and others in 2015. Since 2015, it has been wreaking havoc and it has been developed to be a powerful attack framework.

A list of Empire C2 Shodan queries

Shodan Query typeFalse positive sensitivequery
productyesproduct:”Empire C2″
html_hashyeshttp.html_hash:611100469
A list of Shodan queries that can help to find Empire C2 servers

Hunting for Empire C2 with Shodan

Time needed: 15 minutes.

A quick guide with some visuals that will show you some Shodan hunting queries that can assist you in finding Empire C2 servers.

  1. Login into your Shodan account

    First, you need to login into your Shodan account. As the queries we will use are for users with an paid account.

  2. Try to hunt for Empire C2 with the product query

    Shodan allows you to search on product. Sometimes Empire C2 servers are indexed as product.

    The query for this is:
    product:”Empire C2″

  3. Try to hunt for Empire C2 with the html_hash

    You can try the html_hash query to find some Empire C2 servers on Shodan.

    The query for this is:
    http.html_hash:611100469Empire C2 hunting Shodan

Empire C2

The authors behind the Empire C2 post-exploitation framework state the following about it:

Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture.

Empire C2 authors on Github

If you liked the tips and tricks, then please don’t hesitate to share it around.

Share this information

Reza Rafati

Founder of Cyberwarzone.com.