Tags

Browse and search all threat intelligence tags

Admin Panel Hunt

Web-attack

Scanning for administrative interfaces

CGI Script Hunt

Web-attack

Scanning for vulnerable CGI scripts

Cisco ASA Probe

Recon

Reconnaissance probe targeting Cisco ASA firewall and VPN infrastructure. Indicates scanning for Cisco ASA devices, typically preceding exploitation attempts.

Cisco UCM Exploit

Cve

CVE-2024-20253 Cisco Unified Communications Manager RCE

Citrix ADC / Gateway Probe

Recon

HTTP request targeting Citrix ADC or Citrix Gateway (formerly NetScaler ADC/Gateway) specific URL paths, indicating deliberate reconnaissance or scanning for Citrix remote access infrastructure.

CMS Enumeration

Web-attack

Content management system discovery and enumeration

Config File Hunt

Web-attack

Scanning for exposed configuration files

cPanel Auth Bypass (CVE-2026-41940)

Cve

Active exploitation of the cPanel and WHM pre-authentication bypass vulnerability, targeting the WHM admin interface and cPanel session authentication endpoints.

cPanel Probe

Recon

Reconnaissance probe targeting cPanel and WHM web hosting control panel infrastructure. Detected via cPanel-specific HTTP paths and connections to native cPanel and WHM management ports.

Database Admin Hunt

Web-attack

Scanning for database admin interfaces (phpMyAdmin, etc.)

Directory Traversal Attempt

Web-attack

Path traversal attack attempting to access restricted files

Enterprise Software Probe

Web-attack

Probing for enterprise software (Confluence, Jenkins, etc.)

Exchange Probe

Exploit

Probing Microsoft Exchange for ProxyShell/ProxyLogon vulnerabilities

File Upload Attempt

Web-attack

Attempting to upload potentially malicious files

FortiGate Probe

Recon

Probing FortiGate/FortiOS SSL VPN and admin interfaces, including path traversal exploit attempts

GlobalProtect Probe

Recon

Probing Palo Alto GlobalProtect VPN login endpoints

IoT Default Credential Attempt

Botnet

Default credential stuffing attempt on telnet

Ivanti EPMM Exploit

Cve

CVE-2026-1281/CVE-2026-1340 Ivanti Endpoint Manager Mobile pre-auth RCE via Bash arithmetic expansion in /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ endpoints

MCP Server Scan

Recon

Scanning for exposed Model Context Protocol (MCP) and Server-Sent Events (SSE) endpoints

Mirai Credential Spray

Botnet

Mirai-specific IoT default credentials detected in telnet payload

Mirai Scanner

Botnet

Mirai-style port 23/2323 dual scanning pattern detected

Outlaw Botnet

Botnet

An IP with this tag has been identified as the Outlaw (a.k.a. Dota) SSH cryptojacking botnet — a self-propagating Monero-mining botnet that spreads across SSH servers

PHPUnit RCE Scan

Exploit

Scanning for exposed PHPUnit eval-stdin.php endpoint allowing arbitrary PHP code execution

Port Scan

Recon

Scanning 5+ ports on target host

RDP Connection Attempt

Activity

Remote Desktop Protocol (RDP) connection attempt detected on port 3389

Redis Connection Attempt

Activity

Connection established to a Redis service on port 6379

Router Exploit

Web-attack

Attempting router firmware exploits (Netgear, D-Link, etc.)

SharePoint Active Exploitation

Cve

Active exploitation of SharePoint vulnerabilities

SharePoint Webshell Scanning

Cve

Scanning for SharePoint web shells

SIP Register Scanner

Activity

SIP VoIP scanning activity on port 5060

SMTP Auth Attempt

Activity

Host submitted an SMTP AUTH command to a honeypot mail server. Consistent with open-relay scouting or opportunistic credential submission.

SMTP Bruteforcer

Brute-force

Host made repeated SMTP AUTH attempts within a short window, strongly indicative of credential spraying against a mail server.

SolarWinds Probe

Web-attack

Probing for SolarWinds Orion endpoints

SQL Injection Attempt

Web-attack

SQL injection attack detected in request

SSH Bruteforcer

Brute-force

Repeated SSH credential attempts from this IP — username and password submitted multiple times to the SSH honeypot

SSH Connection Attempt

Activity

SSH connection attempt detected on port 22 or 2222

SSH Login Attempt

Activity

SSH credential attempt observed — attacker submitted a username and password to the SSH honeypot

Telnet Bruteforcer

Brute-force

Multiple username/password submissions to Telnet honeypot

Telnet Connection Attempt

Activity

Telnet connection attempt detected on port 23 or 2323

Telnet Login Attempt

Activity

Telnet credential attempt observed — attacker submitted a username and password to a Telnet server

ThinkPHP RCE

Exploit

Exploiting ThinkPHP framework invokefunction endpoint for remote code execution

TLS/SSL Crawler

Activity

TLS/SSL connection fingerprinting detected via Suricata

URI Parsing Exploit

Web-attack

Exploiting URI parsing vulnerabilities

VNC Bruteforcer

Brute-force

Repeated VNC authentication attempts from a single IP address

VNC Connection Attempt

Activity

VNC connection established on port 5900/5901

VNC Login Attempt

Activity

VNC authentication attempt on port 5900/5901

Web Command Injection

Web-attack

Attempting OS command injection via web parameters

Web Crawler

Activity

HTTP web crawling activity detected on web honeypots

Web Shell Hunt

Web-attack

Scanning for web shells (WSO, c99, r57, etc.)

Web Vulnerability Exploit

Web-attack

Generic web application vulnerability exploit

Showing 1 to 50 of 52 tags