Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Automated Attack Tools

Automated Attack Tools

Section titled “Automated Attack Tools”

5 automated security scanners

Low-Volume DDoS Fingerprinting

Section titled “Low-Volume DDoS Fingerprinting”

Purpose: The Low-Volume DDoS Fingerprinting Scanner is designed to detect various types of malicious activities in network traffic by analyzing patterns and leveraging threat intelligence feeds. It aims to identify reconnaissance probing, service mapping, vulnerability testing, known exploited vulnerabilities, and malicious IP reputation.

What It Detects:

  • Reconnaissance Probing: Identifies the use of tools like nmap, masscan, and nikto for network reconnaissance.
  • Service Mapping: Detects activities such as port scanning and service detection aimed at identifying open ports and services on a target system.
  • Vulnerability Testing: Identifies attempts to scan for vulnerabilities in systems or applications, potentially indicative of penetration testing.
  • Known Exploited Vulnerabilities (KEV): Detects references to specific CVEs listed in the CISA KEV catalog.
  • Malicious IP Reputation: Identifies IPs associated with malware, ransomware, and trojan activities based on threat intelligence feeds.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.
  • ip_range (string): The IP range to scan, such as 192.168.1.0/24.

Business Impact: This scanner is crucial for organizations aiming to maintain a secure network environment by identifying potential threats early on. It helps in understanding the level of exposure and vulnerability within the organization’s infrastructure, enabling proactive security measures to be taken.

Risk Levels:

  • Critical: Conditions that directly lead to significant damage or compromise, such as widespread scanning across multiple systems using reconnaissance tools.
  • High: Conditions involving specific tools or activities indicative of aggressive probing and testing, which could indicate an advanced threat actor.
  • Medium: General network activity patterns that suggest routine but potentially suspicious behavior, requiring further investigation.
  • Low: Minimalistic or infrequent instances of known scanning tools usage for legitimate purposes like regular network maintenance.
  • Info: Non-specific background noise indicative of benign traffic not directly linked to malicious activities.

Example Findings:

  • The scanner might flag a series of scans originating from multiple IPs using nmap against internal systems, indicating potential reconnaissance probing.
  • An IP address associated with frequent scanning and vulnerability testing could be flagged as potentially engaging in aggressive penetration testing practices.

Botnet-aaS Usage

Section titled “Botnet-aaS Usage”

Purpose: The Botnet-as-a-Service (BotnetaaS) Usage Scanner is designed to assess the usage of botnets by analyzing domain and IP range data. It aims to identify potential command-and-control (C2) servers, malware indicators, vulnerability exploitation patterns, dark web activity indicators, and exposed services or data breaches associated with botnet activities.

What It Detects:

  • Command-and-Control (C2) Server Indicators: Patterns indicating C2 server presence such as “command and control,” “c2,” or related terms are detected using threat intelligence feeds to identify known C2 IP addresses and domains.
  • Malware Indicators: The scanner identifies malware-related terms like “malware,” “ransomware,” and “trojan” to detect potential compromised systems or malicious activities.
  • Vulnerability Exploitation Patterns: Detection of known vulnerabilities using patterns such as CVE numbers is performed, cross-referencing with databases like CISA KEV and NVD/CVE for exploited vulnerabilities.
  • Dark Web Activity Indicators: The scanner scans for dark web references or indicators of compromised data and detects activities related to phishing and credential harvesting.
  • Exposed Services and Data Breaches: Identification of exposed services using the Shodan API and detection of data breaches, unauthorized access, and data dumps are performed.

Inputs Required:

  • domain (string): The primary domain to analyze, such as “acme.com,” which helps in identifying potential botnet activities related to this domain.
  • ip_range (string): An IP range like “192.168.1.0/24” is used to scan for botnet activity and detect exposed services or unauthorized access attempts.

Business Impact: This scanner is crucial for organizations aiming to maintain a secure network environment, as it helps in identifying potential threats posed by botnets, which can lead to data breaches, service disruptions, and financial losses. The accurate detection of C2 servers, malware indicators, and vulnerability exploitation patterns allows for proactive security measures to be taken before significant damage occurs.

Risk Levels:

  • Critical: Conditions that directly impact critical infrastructure or result in immediate system compromise are considered critical. This includes the presence of known C2 domains and IP addresses and detected vulnerabilities with no workarounds available.
  • High: High-risk findings involve malware indicators, unauthorized access attempts, and exposed services that can lead to significant data loss or service interruptions.
  • Medium: Medium-risk factors include vulnerability exploitation patterns and some exposure indicators that may require immediate attention for mitigation.
  • Low: Informational findings are those that do not pose an immediate threat but should be monitored for trends or potential future risks.
  • Info: These are non-critical findings providing general information about the domain’s network activity without significant security implications.

Example Findings:

  • A critical finding could be “Threat Indicator Found: CVE-2021-44228” indicating a known vulnerability that has been exploited in the target domain, requiring immediate patching or mitigation strategies.
  • A high-risk example is “Exposure Indicator Found: unauthorized access at IP 192.168.1.10,” which suggests potential security breaches and requires investigation to secure the compromised systems.

Scanning Infrastructure Detection

Section titled “Scanning Infrastructure Detection”

Purpose: The Scanning Infrastructure Detection Scanner is designed to identify and analyze mass scanning tools, Shodan-driven targeting, and internet-wide probing activities by examining domain and IP range data against threat intelligence feeds. This tool helps in identifying potential threats and vulnerabilities within the network infrastructure.

What It Detects:

  • Mass Scanning Activity: Identifies repeated scans from multiple IP addresses that are indicative of automated scanning tools using Shodan API data.
  • Shodan-Driven Targeting: Analyzes Shodan API results for unusual access attempts or known vulnerabilities associated with the target domain or IP range, looking for specific indicators such as CVE numbers and other vulnerability patterns.
  • Internet-Wide Probing: Scans for internet-wide probing activities by checking VirusTotal API for domain/IP reputation, identifying suspicious activities based on known exploited vulnerabilities from sources like CISA KEV.
  • IP Reputation Analysis: Uses AbuseIPDB to assess the reputation of IPs within specified ranges, flagging those with a high number of malicious reports or associated with known threats.
  • Vulnerability Lookup: Queries databases like NVD/CVE for specific patterns and indicators related to vulnerabilities, detecting exposure indicators such as exposed data or unauthorized access in collected data.

Inputs Required:

  • domain (string): The primary domain to be analyzed, e.g., acme.com.
  • ip_range (string): The IP range to scan, e.g., 192.168.1.0/24.

Business Impact: This scanner is crucial for maintaining the security of network infrastructures by proactively detecting potential threats and vulnerabilities that could be exploited by malicious actors. It helps in identifying risks associated with mass scanning activities, Shodan-driven targeting, and internet-wide probing, which are indicative of significant cybersecurity concerns.

Risk Levels:

  • Critical: Findings include repeated scans from multiple IP addresses indicating the use of automated scanning tools or direct access to known vulnerabilities.
  • High: Analysis of Shodan API results reveals unusual access attempts or indications of known vulnerabilities in the target domain or IP range.
  • Medium: Scans for internet-wide probing activities show suspicious activity based on reported exploits from CISA KEV sources.
  • Low: Exposure indicators such as leaked data or unauthorized access points are detected, though these might not directly pose a high risk but could be indicative of ongoing reconnaissance efforts.
  • Info: Vulnerability findings that do not immediately impact security but could be part of ongoing intelligence gathering activities.

Example Findings:

  1. A domain consistently shows repeated scans from different IP addresses, suggesting potential use of automated scanning tools for network discovery.
  2. An IP range reveals multiple entries with known vulnerabilities such as CVE-2023-1234 and ransomware indicators, indicating a high risk of exploitation by malicious actors.

Credential Stuffing Automation

Section titled “Credential Stuffing Automation”

Purpose: The Credential Stuffing Automation Scanner is designed to detect and identify automated credential stuffing attacks, multi-site automation attempts, and proxy rotation techniques used by attackers to breach systems. This tool leverages threat intelligence feeds to analyze domain and IP range data for suspicious activities.

What It Detects:

  • Password Spraying Indicators: The scanner detects repeated login attempts with common passwords and identifies patterns indicative of password spraying attacks using specific regex patterns.
  • Multi-Site Automation Patterns: It identifies simultaneous or sequential login attempts across multiple domains, indicating the use of automated scripts for multi-site attacks.
  • Proxy Rotation Techniques: The scanner analyzes IP addresses to identify proxy rotation patterns and detects requests from a variety of IP ranges suggesting the use of proxies.
  • Threat Intelligence Indicators: Utilizes Shodan, VirusTotal, CISA KEV, and AbuseIPDB to gather threat intelligence and identifies known exploited vulnerabilities using regex patterns.
  • Anomalous Traffic Patterns: The scanner detects unusual traffic spikes or patterns that deviate from normal user behavior by analyzing network logs for signs of automated attacks.

Inputs Required:

  • domain (string): Primary domain to analyze, e.g., acme.com. This is crucial for understanding the scope and context of potential breaches.
  • ip_range (string): IP range to scan for suspicious activities, e.g., 192.168.1.0/24. Identifying this range helps in focusing on areas likely affected by automated attacks.

Business Impact: This scanner is critical for organizations looking to proactively safeguard their users’ credentials and prevent unauthorized access attempts that could lead to significant data breaches or financial losses. By identifying and mitigating these threats, the organization can enhance its security posture against increasingly sophisticated cyber-attacks.

Risk Levels:

  • Critical: The scanner identifies repeated login attempts with common passwords using malware, ransomware, trojan, command and control (C2), or similar indicators. This is a high-risk scenario as it often leads to successful breaches if not detected early.
  • High: Simultaneous or sequential login attempts across multiple domains using phishing, credential harvesting, or exposed/leaked/breached patterns are considered high risk due to the potential for widespread account compromise.
  • Medium: Proxy rotation techniques and anomalous traffic spikes can be medium-risk indicators if they suggest ongoing automated attacks without significant impact but still require attention to prevent escalation.
  • Low: Informational findings such as unusual traffic patterns or minor deviations from normal behavior are considered low risk unless accompanied by other indicators suggesting higher severity.
  • Info: These include general threat intelligence analysis and vulnerability checks that provide informational insights into potential risks without immediate action but can be crucial for ongoing security monitoring.

Example Findings:

  1. A significant number of login attempts using common passwords such as “123456” or “password” could indicate a password spraying attack flagged by the regex pattern malware|ransomware|trojan.
  2. Multiple domains showing simultaneous login failures with no apparent user activity in between might suggest multi-site automation, indicated by the regex patterns phishing|credential harvesting.

Scalping Bot Fraud

Section titled “Scalping Bot Fraud”

Purpose: The Scalping Bot Fraud Scanner is designed to assess the presence of scalping bot fraud activities by analyzing domain and IP range data through threat intelligence feeds. This tool helps identify potential vulnerabilities, malicious activities, and known exploited vulnerabilities that could be exploited by scalping bots.

What It Detects:

  • Known Exploited Vulnerabilities (KEV): Identifies CVEs listed in the CISA KEV catalog.
  • Malware Indicators: Detects mentions of malware, ransomware, or trojans.
  • Command and Control (C2) Activity: Identifies command and control server references.
  • Phishing and Credential Harvesting: Detects indicators of phishing attempts or credential harvesting activities.
  • Exposed Services and Vulnerabilities: Identifies exposed services and vulnerabilities using Shodan API data.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • ip_range (string): IP range to scan for vulnerabilities (e.g., 192.168.1.0/24)

Business Impact: This scanner is crucial for organizations operating in sectors susceptible to scalping bot fraud, as it helps identify potential threats that could lead to financial loss and damage the reputation of the organization. By detecting known exploited vulnerabilities, malware activities, and command and control server references, the scanner can help mitigate risks associated with scalping bots and protect critical assets.

Risk Levels:

  • Critical: The scanner identifies CVEs listed in the CISA KEV catalog that are directly linked to malicious activity detected by VirusTotal.
  • High: The presence of malware or ransomware indicators, as well as command and control server references, is identified.
  • Medium: Exposure to unauthorized access or data dumps suggests potential vulnerabilities in network configurations.
  • Low: Informational findings such as exposed services indicate areas for improvement in security practices.
  • Info: General risk level for informational purposes about known exploited vulnerabilities and malware indicators.

Example Findings:

  1. “CVE-2021-1234 is known to be exploited, indicating a critical vulnerability that could be exploited by scalping bots.”
  2. “Malware activity detected on domain example.com suggests potential unauthorized access and data exfiltration attempts.”