First I reviewed the certificate information on the RedGuard github repo.
The below details were identified through searching the repo or reviewing screenshots of the RedGuard config. The info can be used to match the default certificate properties:
Cert CommonName (default "*.aliyun.com") Cert Country (default "CN") Cert Locality (default "HangZhou") Cert Organization (default "Alibaba (China) Technology Co., Ltd.")
We can start by using something like the below in shodan:
ssl:"CN" ssl:"HangZhou" ssl:"Alibaba (China) Technology Co., Ltd."
Next I reviewed the HTTP headers and HTML information from screenshots and config on github:
HTTP 301 Moved Permanently, length: 169 Proxy redirect URL (default "https://360.net")
360.com also present in a screenshot but when checking with the HTTP profile there were no results:
It appears the default ports are 80 and 443
80 or 443
301: http.html_hash:-618752581 http.headers_hash:-1625744203 https://www.shodan.io/search?query=http.html_hash%3A-618752581+http.headers_hash%3A-1625744203
301: http.html_hash:-618752581 http.headers_hash:-1625744203 ssl:"Subject: C=CN L=HangZhou O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com" https://www.shodan.io/search?query=http.html_hash%3A-618752581+ssl%3A%22Subject%3A+C%3DCN%2C+L%3DHangZhou%2C+O%3DAlibaba+%28China%29+Technology+Co.%2C+Ltd.%2C+CN%3D*.aliyun.com%22
HTTP (Port 80)
43.129.175.251 43.129.184.244 43.135.34.69 49.232.29.245
SSL:
42.[193.106.237 43.[129.175.251 43.[129.184.244 43.[135.34.69 49.[232.29.245 49.[234.165.142 69.[234.233.153 119[.27.176.138 123.[56.218.157 175.[24.254.64 218.[19.148.82
Checking the results in VT only 1 is flagged as bad and has links to Cobalt Strike. Lets refine our rule with SSL info.
301: http.html_hash:-618752581 http.headers_hash:-1625744203 ssl.jarm:"3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910","2ad22b00000000022c43d22b22b43d3795b2a696610c3ae44909dcdcb797f2" https://www.shodan.io/search?query=http.html_hash%3A-618752581+http.headers_hash%3A-1625744203+ssl.jarm%3A%223fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910%22
42.193.106.237 43.129.175.251 43.129.184.244 43.135.34.69 49.232.29.245
These look better but still only 1 is flagged as malicious.
There are no communicating files for some of these IPs so this could mean that they are not yet used / detected.
When looking at results in Shodan I also noticed that there were some results with a 307 response code. This was when I used the SSL info in the previous rules (ssl:"Subject: C=CN L=HangZhou O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com") and added the keyword search for "https://360.net"
307 (Unsure whether this is a customisation to use 307 (not seen 307 in the github code): HTTP/1.1 307 Temporary Redirect Content-Type: text/html; charset=utf-8 Location: https://360.net Date: Content-Length: 51
Sames rule using the hash value rather than the raw header text: 307(Unsure whether this is a customisation to use 307 (not seen 307 in the github code):: http.headers_hash:1926582344 http.html_hash:155817744 https://www.shodan.io/search?query=http.headers_hash%3A1926582344+http.html_hash%3A155817744
307 (Unsure whether this is a customisation to use 307 (not seen 307 in the github code):: http.headers_hash:1926582344 http.html_hash:155817744 ssl.jarm:"3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910" https://www.shodan.io/search?query=http.headers_hash%3A1926582344+http.html_hash%3A155817744+ssl.jarm%3A%223fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910%22
307 (Unsure whether this is a customisation to use 307 (not seen 307 in the github code):: http.headers_hash:1926582344 http.html_hash:155817744 ssl:"Subject: C=CN L=HangZhou O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com" https://www.shodan.io/search?query=http.headers_hash%3A1926582344+http.html_hash%3A155817744+ssl%3A%22Subject%3A+C%3DCN+L%3DHangZhou+O%3DAlibaba+%28China%29+Technology+Co.%2C+Ltd.%2C+CN%3D*.aliyun.com%22
Review results in VT for the 301 and 307 related hosts to check:
23[.105.197.219 43[.138.110.8 114[.115.145.188 121[.42.9.148 150[.158.137.47 45[.141.136.133 123[.60.164.87 142[.171.229.85 157[.245.222.152
The first is flagged as malicious
Looking at communicating files it appears to be linked to a cobalt strike beacon
Our second IP appears to have historic links to cobalt strike:
Our next check also shows Cobalt Strike so it would appear the rule is good:
Looking at one of the US based IP addresses this has the redirector and it also has cobalt strike hosted on the same server:
The rule looks good and we have identified additional infrastructure :)