This Shodan queries list is made out of queries which Threat Hunters use to identify threat landscapes, malware, command and control servers and vulnerable systems. The idea is that by having this list close to you, you will be able to utilize the powerful Shodan search engine more effectively.
In the past I have published Shodan tutorials which describe how you can hunt for Empire and Cobalt Strike C2 servers. These tutorials allow you to hunt for the C2 servers and it also allows you to get a better understanding of how you can perform queries via Shodan. Shodan can also be used to hunt for previously mentioned vulnerabilities, for example, CVE-2018-13379 still hasn’t been patched globally, and by following the Shodan tutorial on CVE-2018-13379, you can actually hunt for impacted systems.
Indexed (open) RDP systems on Shodan
Table of Contents
Shodan queries list for threat hunters
The following Shodan queries will certainly provide results that you can use in your daily threat hunting process.
Shodan has the following default queries which you can perform. The nice thing about search engines such as Shodan is that you can combine queries, this allows you to filter deeply into the results you are receiving.
Shodan screenshot showing query results on the world map
In overal, the following main filters can be used in the query:
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.