※ This article is based on an analysis shared by the Twitter-based threat intelligence specialist, Clandestine.
As cyber threats become increasingly sophisticated, relying solely on automated detection systems often misses early signs of malicious activity. In this context, manual reconnaissance and proactive threat hunting strategies are becoming essential for identifying infrastructure that may be used in attacks before it’s weaponized.
In this post, we’ll introduce practical search queries using Criminal IP’s Tag and Filter system to explore real-world malicious infrastructure. Each query comes with a direct search link, allowing you to practice hands-on threat detection in real-time.
Real-World Query Examples Using Criminal IP Tags & Filters
Detecting C2 Servers Over Common Web Ports
Criminal IP Search Query: tag:C2 AND port:80 OR port:443
Attackers often disguise Command & Control (C2) servers as legitimate web services by operating them on common ports like 80 (HTTP) or 443 (HTTPS). This query helps identify C2 infrastructures using typical web traffic ports.
💡 In Criminal IP, the AND operator has higher precedence than OR.
Detecting Cobalt Strike Using Let’s Encrypt Certificates
Criminal IP Search Query: tag: “Cobalt Strike” ssl_issuer_organization: “Let’s Encrypt”
Although Cobalt Strike is a legitimate red team tool, it’s frequently abused by attackers. Free SSL issuers like Let’s Encrypt are commonly used by malicious actors. This query helps identify suspicious Cobalt Strike deployments using such certificates.
Detecting Cobalt Strike with Expired SSL Certificates
Criminal IP Search Query: tag: “Cobalt Strike” AND ssl_expired: true
Expired SSL certificates can indicate abandoned or short-lived infrastructure, often used for testing or temporary operations by threat actors.
Detecting IoT Devices with Expired Certificates
Criminal IP Search Query: tag: IoT ssl_expired: true
Many IoT devices lack proper security management, and it’s not uncommon for them to operate without valid certificates. This query helps detect such vulnerable devices with expired SSL certs.
Exposed Docker API Instances
Criminal IP Search Query: tag: Doker port: 2375 OR port: 2376
Docker APIs run by default on ports 2375 (HTTP) and 2376 (HTTPS). If exposed without proper authentication, these services can lead to critical security breaches. This query helps you identify containers that are open and unprotected.
AExposed AWS Elastic Beanstalk Instances
Criminal IP Search Query: title: “Elastic Beanstalk” port: 80
Elastic Beanstalk environments may unintentionally expose debugging or testing applications. This query identifies instances running on port 80 that may need further security checks.
Smarter Ways to Detect Threat Infrastructure with Criminal IP
- ssl_issuer_organization + ssl_expired:true
→ Helps identify temporary or attacker-operated test infrastructure. - cloud_provider / hostname
→ Use to filter infrastructure hosted on AWS, Azure, Google Cloud, and others. - as_name
→ Narrow the search based on ASN (Autonomous System Number) to focus on specific ISPs or cloud providers.
Conclusion
Criminal IP goes beyond basic asset search—it’s a powerful threat hunting platform that enables proactive detection of high-risk infrastructure. By combining Tags and Filters, users can build customized queries to uncover real-world threats. This approach not only identifies individual assets but also helps analysts understand the broader kill chain and attacker behavior. These queries can also be run periodically or integrated into SIEM and SOAR platforms to support automated threat detection and response workflows. Stay tuned for Part 2, where we’ll dive deeper into more advanced use cases and tactical applications for incident response.
In relation to this, you can refer to How To Prevent Internal Management System Exposure With OSINT Threat Intelligence.
Source: Criminal IP(https://www.criminalip.io/)
Related Article: