Campaigns
Enumeration Campaign: Target List Construction

Enumeration Campaign: Target List Construction

LLM reconnaissanceOllama honeypot infrastructureOllama SSRFHigh-volume enumeration
Threat actors actively scan and target LLM infrastructure, which GreyNoise confirmed through honeypot data collected in early January 2026.GreyNoise’s Ollama honeypots logged more than 91,000 attack sessions from October 2025 through January 2026. Most of that activity occurred in a short surge, with 80,469 sessions recorded between December 28, 2025, and January 8, 2026.

Indicators of Compromise

oast.live
oast.online
oast.site
oast.pro
oast.today
oast.fun
oast.me

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1046 - Network Service Scanning


ID

Name

Analytic ID

Analytic Description

DET0376

Behavioral Detection Strategy for Network Service Discovery Across Platforms

AN1057

Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window.

AN1058

Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry.

AN1059

Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans.

AN1060

Detects lateral discovery or container breakout attempts using netcat, curl, or custom binaries probing other services within the same namespace or VPC subnet.


T1102 - Web Service


ID

Name

Analytic ID

Analytic Description

DET0425

Suspicious Use of Web Services for C2

AN1189

Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence.

AN1190

Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context.

AN1191

Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS.

AN1192

Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification.


T1190 - Exploit Public-Facing Application


ID

Name

Analytic ID

Analytic Description

DET0080

Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)

AN0219

Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.

AN0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

AN0221

Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.

AN0222

Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).

AN0223

Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.

AN0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

AN0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.


T1210 - Exploitation of Remote Services


ID

Name

Analytic ID

Analytic Description

DET0118

Exploitation of Remote Services – multi-platform lateral movement detection

AN0327

Correlates inbound network access to remote service ports (e.g., SMB/RPC 445/135, RDP 3389, WinRM 5985/5986) with near-time instability in the target service (crash, abnormal restart), suspicious child process creation under the service, and post-access lateral-movement behaviors. The chain indicates likely exploitation rather than normal administration.

AN0328

Links inbound network access to SSHD/SMB/NFS/Databases or custom daemons with subsequent daemon crash/restart, core dump, or spawning of shells/reverse shells from the service context, indicating remote exploitation.

AN0329

Detects exploitation targeting ESXi/vCenter by correlating attempts to reach known exploitable endpoints (OpenSLP 427, CIM 5989, Hostd/Vpxa HTTPS 443, ESXi SOAP) with vmkernel/hostd crashes, unexpected hostd/vpxa restarts, or new reverse/outbound connections from ESXi host/vCenter to internal assets.

AN0330

Ties inbound access to exposed services (ARD/VNC 5900, SSH 22, ScreenSharing, web services) with process crashes in unified logs and abnormal child processes spawned under those services (e.g., bash, curl) to indicate exploitation.


T1212 - Exploitation for Credential Access


ID

Name

Analytic ID

Analytic Description

DET0174

Detection Strategy for Exploitation for Credential Access

AN0493

Detects adversary exploitation of authentication mechanisms or credential validation processes. Defender perspective includes forged Kerberos tickets (e.g., MS14-068), abnormal LSASS memory access, replayed authentication attempts, and unexpected crashes of authentication services. Multi-event correlation ties exploitation attempts to abnormal process creation, service instability, and suspicious authentication events.

AN0494

Detects exploitation of authentication daemons or PAM modules. Defender perspective includes failed or anomalous PAM authentications, abnormal segfaults in authentication services, and exploitation attempts followed by successful unauthorized logins. Correlation identifies memory corruption, replay attempts, and privilege escalation tied to credential services.

AN0495

Detects exploitation attempts against macOS authentication frameworks such as OpenDirectory or Keychain. Defender perspective includes abnormal crashes in opendirectoryd, unauthorized Keychain API usage, and unusual sudo or login events. Correlation links unexpected process behavior with credential access anomalies.

AN0496

Detects exploitation of vulnerabilities in cloud identity providers (IdPs) such as Azure AD or Okta for credential access. Defender perspective includes anomalous token creation or renewal, authentication bypass events, and API abuse to mint unauthorized tokens. Correlation highlights exploitation attempts tied to absent or inconsistent audit logs.


T1552 - Unsecured Credentials


ID

Name

Analytic ID

Analytic Description

DET0412

Detect Access or Search for Unsecured Credentials Across Platforms

AN1153

Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity.

AN1154

Reading of sensitive files like .bash_history, /etc/shadow, or private key directories by unauthorized users or unusual processes.

AN1155

Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users.

AN1156

Unusual web-based access or API scraping of password managers, single sign-on sessions, or credential sync services via browser automation or anomalous API tokens.

AN1157

Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings.

AN1158

Access to container image layers or mounted secrets (e.g., Docker secrets) by processes not tied to entrypoint or orchestration context.

AN1159

Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings.


T1592 - Gather Victim Host Information


ID

Name

Analytic ID

Analytic Description

DET0826

Detection of Gather Victim Host Information

AN1958

Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.[4][1]
Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.


T1595 - Active Scanning


ID

Name

Analytic ID

Analytic Description

DET0830

Detection of Active Scanning

AN1962

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1595.002 - Vulnerability Scanning


ID

Name

Analytic ID

Analytic Description

DET0867

Detection of Vulnerability Scanning

AN1999

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries250

AD (854)
AE (929)
AF (858)
AG (672)
AI (130)
AL (798)
AM (867)
AO (684)
AQ (603)
AR (416)
AS (722)
AT (266)
AU (127)
AW (429)
AX (242)
AZ (890)
BA (811)
BB (720)
BD (946)
BE (227)
BF (630)
BG (881)
BH (791)
BI (825)
BJ (115)
BL (435)
BM (395)
BN (324)
BO (920)
BQ (91)
BR (426)
BS (64)
BT (404)
BV (974)
BW (60)
BY (879)
BZ (641)
CA (580)
CC (917)
CD (601)
CF (210)
CG (103)
CH (531)
CI (197)
CK (426)
CL (659)
CM (476)
CN (926)
CO (963)
CR (333)
CU (853)
CV (835)
CW (277)
CX (617)
CY (444)
CZ (284)
DE (824)
DJ (447)
DK (28)
DM (835)
DO (253)
DZ (80)
EC (389)
EE (22)
EG (569)
EH (283)
ER (742)
ES (714)
ET (923)
FI (128)
FJ (446)
FK (29)
FM (738)
FO (415)
FR (652)
GA (436)
GB (551)
GD (841)
GE (490)
GF (588)
GG (825)
GH (306)
GI (667)
GL (530)
GM (884)
GN (327)
GP (862)
GQ (880)
GR (439)
GS (593)
GT (836)
GU (326)
GW (218)
GY (937)
HK (394)
HM (984)
HN (487)
HR (593)
HT (171)
HU (477)
ID (957)
IE (316)
IL (836)
IM (905)
IN (94)
IO (124)
IQ (778)
IR (650)
IS (929)
IT (955)
JE (675)
JM (375)
JO (325)
JP (554)
KE (571)
KG (612)
KH (703)
KI (741)
KM (402)
KN (523)
KP (187)
KR (478)
KW (80)
KY (527)
KZ (222)
LA (555)
LB (438)
LC (256)
LI (84)
LK (207)
LR (592)
LS (651)
LT (931)
LU (637)
LV (4)
LY (933)
MA (911)
MC (397)
MD (816)
ME (801)
MF (111)
MG (943)
MH (393)
MK (599)
ML (855)
MM (81)
MN (394)
MO (749)
MP (869)
MQ (311)
MR (949)
MS (790)
MT (512)
MU (199)
MV (471)
MW (825)
MX (94)
MY (64)
MZ (352)
NA (60)
NC (324)
NE (717)
NF (88)
NG (270)
NI (38)
NL (517)
NO (519)
NP (745)
NR (639)
NU (288)
NZ (75)
OM (352)
PA (751)
PE (345)
PF (152)
PG (319)
PH (513)
PK (227)
PL (172)
PM (559)
PN (687)
PR (791)
PS (620)
PT (283)
PW (471)
PY (105)
QA (242)
RE (788)
RO (262)
RS (87)
RU (723)
RW (875)
SA (798)
SB (599)
SC (462)
SD (955)
SE (104)
SG (720)
SH (526)
SI (242)
SJ (367)
SK (418)
SL (631)
SM (488)
SN (530)
SO (617)
SR (214)
SS (749)
ST (295)
SV (427)
SX (900)
SY (264)
SZ (927)
TC (74)
TD (948)
TF (10)
TG (501)
TH (156)
TJ (310)
TK (542)
TL (554)
TM (74)
TN (215)
TO (782)
TR (443)
TT (940)
TV (375)
TW (249)
TZ (351)
UA (302)
UG (355)
UM (554)
US (11)
UY (904)
UZ (115)
VA (235)
VC (991)
VE (249)
VG (274)
VI (739)
VN (54)
VU (977)
WF (70)
WS (149)
XK (10)
YE (281)
YT (564)
ZA (933)
ZM (747)
ZW (121)