Internet Search Engine Queries for Identifying C2 Panels

Threat hunters are always looking for reliable techniques to identify and track command-and-control (C2) infrastructure, open directories (often marked by the term “Index of”), and phishing-related assets. Open directories can inadvertently reveal sensitive data, malware files, or attacker tools making them valuable clues during an investigation.

To assist in this effort, I’ve curated a set of some internet search engines queries that can help detect:

Exposed or misconfigured open directories
Suspected C2 panels
These queries are intended to give security analysts deeper insight into adversary infrastructure at early stages, enabling faster detection and response.

Shodan

Search Type	Query
Favicon Hash	`http.favicon.hash:<HASH_VALUE>`
Product Name	`product:Covenant`

                     | `product:<C2_Product_Name>`                                               |

Fofa

Search Type	Query
Favicon Hash	`icon_hash=""`
Title	`title=="Mythic"`

                     | `title=="C2_Product_Name"`                                                |

ZoomEye

Search Type	Query
Favicon Hash	`iconhash=""`
Title	`title:"Cobalt Strike"`
Certificate	`cert:"Cobalt Strike"`

Censys

Search Type	Query
Label	`labels:c2`
Services Label	`services.labels:c2`
Compound Label	`(((services.labels:c2) and labels=c2) and labels=open-dir) and labels=login-page`
Bulletproof Hosting	`(services.labels:c2) and labels=bulletproof`
C2 with Login Page	`((services.labels:c2) and labels=c2) and labels=login-page`
Open Directory	`labels:open-dir`
HTML Title	`services.http.response.html_title: "Cobalt Strike"`
Certificate Issuer	`parsed.issuer.common_name: "Empire"`
Banner Search	`services.banner:"Cobalt Strike"`

Reverse The Malware