Tags
Browse and search all threat intelligence tags
Admin Panel Hunt
ActivityIP addresses searching for administrative login interfaces and control panels
CGI Script Hunt
ActivityIP addresses scanning for CGI scripts and vulnerable CGI directories like /cgi-bin/
CMS Enumeration
ActivityIP addresses probing for CMS platforms like Drupal, Joomla, and admin panels
Config File Hunt
ActivityIP addresses searching for configuration files and sensitive application data
Database Admin Hunt
ActivityIP addresses searching for database administration interfaces like phpMyAdmin
Directory Traversal Attempt
ActivityIP addresses attempting path traversal attacks to access system files
Enterprise Software Probe
ActivityIP addresses targeting enterprise software like VMware, Citrix, and Exchange servers
File Upload Attempt
ActivityIP addresses probing for file upload endpoints and upload functionality
Router Exploit
ActivityIP addresses targeting router firmware vulnerabilities and IoT devices
SharePoint Active Exploitation
ActivityCVE-2025-53770 active SharePoint exploitation attempts targeting ToolPane.aspx endpoints. These represent live attacks attempting to deploy webshells and extract MachineKey secrets for persistent access.
SharePoint ToolShell Exploit
ActivityDetects exploitation attempts against CVE-2025-53770, a critical zero-day SharePoint RCE vulnerability. Attackers use ASPX payloads to steal MachineKey configuration and achieve remote code execution. Primary IOC: /_layouts/15/spinstall0.aspx
SharePoint Webshell Scanning
ActivityScanning for CVE-2025-53770 SharePoint webshells (spinstall*.aspx). These requests typically indicate threat actors probing for already compromised SharePoint servers rather than active exploitation attempts.
SIP REGISTER Scanner
ActivityIP addresses with this tag have been observed scanning the Internet for SIP devices and attempting to query or modify address bindings using REGISTER requests.
SolarWinds Probe
ActivityIP addresses targeting SolarWinds Orion network monitoring platforms
SSH Bruteforcer
WormIP addresses with this tag have been observed making repeated SSH connections in a short timeframe.
SSH Connection Attempt
ActivityIP addresses with this tag have been observed attempting to negotiate an SSH session.
Telnet Bruteforcer
ActivityIP addresses with this tag have been observed attempting to bruteforce Telnet server credentials.
Telnet Login Attempt
ActivityIP addresses with this tag have been observed attempting to authenticate to a Telnet server.
TLS/SSL Crawler
ActivityIP addresses with this tag have been observed attempting to opportunistically crawl the Internet and establish TLS/SSL connections.
VNC Login Attempt
ActivityIP addresses with this tag have been observed attempting to authenticate to a VNC server.
Web Command Injection
ActivityIP addresses attempting to execute system commands through web applications
Web Crawler
ActivityIP addresses with this tag have been seen crawling HTTP(S) servers around the Internet.
Web Shell Hunt
ActivityIP addresses searching for web shells and backdoors on web servers
WordPress Enumeration
ActivityIP addresses enumerating WordPress users and admin interfaces