Category Archives: Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC025 : ZmEu exploit scanner

Opportunists, Use Cases, , ,
  • Use Case Reference : SUC025
  • Use Case Title : ZmEu exploit scanner
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ZmEu bot
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • phpMyAdmin scanner

Source(s) :

Emerging Threats SIG 2010715 triggers are :

  • The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2010715 1 Week events activity
SIG 2010715 1 Week events activity
SIG 2010715 1 month events activity
SIG 2010715 1 month events activity
1 Month TOP 10 source IPs for SIG 2010715
1 Month TOP 10 source IPs for SIG 2010715

SUC024 : ET WEB SQL Injection Attempt (Agent NV32ts)

Opportunists, Use Cases
  • Use Case Reference : SUC024
  • Use Case Title : ET WEB SQL Injection Attempt (Agent NV32ts)
  • Use Case Detection : IDS / HTTP /SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • SQL injection tool or bot

Source(s) :

Emerging Threats SIG 2009029 triggers are :

  • The HTTP header should contain “NV32ts” User-Agent string. Example : “User-Agent: NV32ts
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2009029 1 Week events activity
SIG 2009029 1 Week events activity
SIG 2009029 1 month events activity
SIG 2009029 1 month events activity
1 Month TOP 10 source IPs for SIG 2009029
1 Month TOP 10 source IPs for SIG 2009029

SUC023 : WebHack Control Center User-Agent Inbound (WHCC/)

Opportunists, Targeting Opportunists, Use Cases
  • Use Case Reference : SUC023
  • Use Case Title : WebHack Control Center User-Agent Inbound (WHCC/)
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists 
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : WebHack Control Center Web server vulnerability scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • WebHack Control Center Web server vulnerability scanner

Source(s) :

Emerging Threats SIG 2003924 triggers are :

  • The HTTP header should contain “WHCC” User-Agent string. Example : “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WHCC/0.6; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003924 1 Week events activity
SIG 2003924 1 Week events activity
SIG 2003924 1 month events activity
SIG 2003924 1 month events activity
1 Month TOP 10 source IPs for SIG 2003924
1 Month TOP 10 source IPs for SIG 2003924

SUC022 : Sqlmap SQL Injection Scan User-Agent Inbound

Opportunists, Professional, Targeting Opportunists, Use Cases,
  • Use Case Reference : SUC022
  • Use Case Title : Sqlmap SQL Injection Scan User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : sqlmap automatic SQL injection and database takeover tool
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • sqlmap automatic SQL injection and database takeover tool.

Source(s) :

Emerging Threats SIG 2008538 triggers are :

  • The HTTP header should contain “sqlmap” User-Agent string. Example : “User-Agent: sqlmap/1.0-dev (http://sqlmap.sourceforge.net)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2008538 1 Week events activity
SIG 2008538 1 Week events activity
SIG 2008538 1 month events activity
SIG 2008538 1 month events activity
1 Month TOP 10 source IPs for SIG 2008538
1 Month TOP 10 source IPs for SIG 2008538