※ This article is based on an analysis shared by the Twitter-based threat intelligence specialist, Clandestine.
In today’s increasingly sophisticated threat landscape, relying solely on automated detection systems is often not enough to proactively identify early signs of an attack. As a result, manual reconnaissance of potential threat infrastructure and proactive threat-hunting strategies are becoming increasingly critical.
In this follow-up to Part 1, we introduce hands-on examples of how to use Criminal IP’s Tag and Filter functions to uncover real-world attack infrastructure. Each query includes a live search link, and key concepts are explained for accessibility—even for newcomers to cybersecurity.
Real-World Query Examples Using Criminal IP Tags & Filters
Identifying Mythic-Based C2 Servers
Criminal IP Search Query: tag: C2_mythic AND ssl_expired: true
Mythic is an open-source Command & Control (C2) framework used in both red team simulations and real-world cyberattacks. Since threat actors often don’t renew SSL certificates for temporary servers, this query is effective in detecting Mythic C2 servers with expired SSL certificates.
🔎 C2 (Command and Control): A type of infrastructure used by attackers to deliver commands to malware or exfiltrate data.
Detecting Exposed DevOps Platforms
Criminal IP Search Query: tag: DevOps AND port: 80
DevOps tools like GitLab or Jenkins, if exposed externally, can lead to source code leaks, CI/CD pipeline compromise, or API key exposure. This query identifies publicly accessible DevOps platforms via port 80 (web UI), helping detect potential security gaps.
Detecting Exposed SSL VPNs
Criminal IP Search Query: tag: “SSL VPN” AND ssl_expired: true
SSL VPNs enable remote access to internal networks and are common entry points for attackers—alongside RDP. Instances with expired SSL certificates often signal neglected or mismanaged systems, increasing the risk of compromise.
Detecting Compromised Systems with Expired SSL Certificates
Criminal IP Search Query: tag: Compromised AND ssl_expired: true
A compromised system running with an expired SSL certificate likely indicates a lack of ongoing security maintenance. This query is useful for identifying potentially persistently compromised servers left unattended.
Smarter Ways to Detect Threat Infrastructure with Criminal IP
- ssl_expired: true + tag
→ Detect abandoned or test infrastructure often left behind by threat actors - cloud_provider / hostname
→ Effective in pinpointing cloud-based threat infrastructure - as_name
→ Narrow search to specific ISPs or cloud providers - port + tag
→ Pinpoint vulnerable services through focused query logic
Conclusion
Criminal IP is more than just an asset search tool—it’s a powerful platform for proactive threat detection and intelligence.
By leveraging combinations of Tags and Filters, users can precisely identify malicious infrastructure and better understand the lifecycle and tactics of cyberattacks. Moreover, with regular query execution and integration into SIEM or SOAR platforms, these search strategies can evolve into automated threat detection and response workflows, enhancing both flexibility and operational efficiency.
For more use cases and queries, be sure to check out Criminal IP Dorks Cheat Sheet: A Practical Guide to Threat Intelligence Queries (Part 1).
Source: Criminal IP (https://www.criminalip.io/)
Related Article: