The GreyNoise Grimoire

What is a “grimoire”? A “grimoire” is a collection of spells, incantations, and magical formulae that can be used to achieve supernatural feats. In the context of cybersecurity, a grimoire is a compilation of exploits, scripts, and hacks that can be used to perform unauthorized actions, such as stealing data or compromising systems. Similarly, in data science and AI, a grimoire refers to a collection of algorithms, tools, and techniques that can be used to manipulate, analyze, and model large datasets. This may include methods for cleaning and preprocessing data, performing statistical analysis, or training machine learning models. However, just like in cybersecurity, a grimoire in data science and AI can be misused for unethical or malicious purposes, such as developing biased models or manipulating data to achieve desired outcomes. Therefore, while a grimoire can be a valuable resource for advancing knowledge and achieving breakthroughs, it also requires ethical considerations and responsibility in its usage.

Vive La Vulnérabilité: French Kubernetes Cluster Hunts Your Webhook Endpoints
5 min

Analysis of a sophisticated Kubernetes-based webhook scanning campaign targeting n8n CVE-2026-21858. 33K requests from French infrastructure, specialized tooling, and IOCs.

Feb 3, 2026

Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting
4 min

Analysis of a coordinated Citrix Gateway reconnaissance campaign using 63,000+ residential proxies and AWS infrastructure to map login panels and enumerate versions across…

Feb 2, 2026

GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-31
7 min

Between January 24-31, 2026, the GreyNoise Global Observation Grid recorded 6,752 sessions from 58 IPs containing 5,531 unique OAST callback domains across 48 campaigns.…

Jan 31, 2026

Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure?
3 min

GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive…

Jan 29, 2026

GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-24
10 min

GreyNoise observed 9,004 honeypot sessions from 313 unique IP addresses conducting coordinated vulnerability scanning with OAST callback infrastructure between January…

Jan 24, 2026

-f Around and Find Out: 18 Hours of Unsolicited Telnet Houseguests
10 min

Detailed analysis of the Inetutils Telnetd ‘-f’ authentication bypass, covering 18 exploit attempts, attacker tactics, and detection insights.

Jan 22, 2026

Creepy Crawlers: Hunting Those Who Hunt For WordPress Plugins
8 min

The ‘Web Crawler’ tag was hiding something interesting: thousands of targeted WordPress plugin probes. We dug in and found coordinated campaigns, email infrastructure…

Jan 19, 2026

GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-17
10 min

GreyNoise observed 8,126 sessions containing Interactsh OAST domains between January 10-17, 2026. Analysis identified a primary campaign originating from M247 Europe SRL…

Jan 18, 2026

SmarterMail Version Enumeration: Threat Actors Building Target Lists Post-CVE-2025-52691
4 min

GreyNoise Labs human-in-the-loop AI-driven emergent threat detection has identified coordinated reconnaissance activity targeting SmarterMail instances following the…

Jan 13, 2026

GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-09
6 min

GreyNoise detected 30,165 sessions from 64 unique IPs that queried well‑known out‑of‑band interaction (OAST) domains during Jan 3‑9 2026. Three distinct campaigns emerged: a…

Jan 10, 2026

ColdFusion++ Christmas Campaign: Catching a Coordinated Callback Calamity
9 min

This report analyzes a focused holiday exploitation campaign where a single Japan attributed network-based actor leveraged 10+ CVEs and OAST callbacks to target Adobe…

Dec 26, 2025

React2Shell Side Quest: Tracking Down Malicious MeshCentral Nodes
22 min

While spelunking through React2Shell initial access payloads, MeshCentral entered the building, so we decided to see just how Mesh-y GreyNoise Data Is

Dec 9, 2025

The PoC Pollution Problem: How AI-Generated Exploits Are Poisoning Detection Engineering
11 min

AI-generated PoCs are flooding security repositories with broken exploits that waste detection engineers’ time and create dangerous blind spots. Learn to identify fake…

Jul 30, 2025

Checking the Scope of CVE-2025-48927
3 min

CVE-2025-48927 found in TeleMessage TM SGNL in May, and reported by KEV in July, allows attackers to trivially extract sensitive credentials via an unauthenticated, exposed…

Jul 16, 2025

Exploiting Erlang OTP with Zip files: CVE-2025-4748
3 min

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation

Jun 17, 2025

Suricata evasion, starring URL decoding
12 min

How does Suricata’s URL decoding work? It’s more complex than you think!

Jun 5, 2025

AyySSHush: Tradecraft of an emergent ASUS botnet
21 min

Using an AI powered network traffic analysis tool we built called SIFT, GreyNoise has caught multiple anomalous network payloads with zero-effort that are attempting to…

May 28, 2025

CVE-2025-32433 - State Machine Err-ly RCE in Erlang/OTP SSH Server
9 min

Analysis and AI-free™ PoC.

Apr 22, 2025

How-To: Linux Process Injection
29 min

Ever wondered how to inject code into a process on Linux?

Jan 28, 2025

Yer a Wizard! Tagging Hard-coded Credentials Can Lead to Finding Magic (Numbers)
6 min

As GreyNoise researcher, you always have things to write detection rules for. Some of them aren’t always exciting, but they become more interesting as you dive deeper.

Dec 3, 2024

Null problem! Or: the dangers of an invisible byte
5 min

A quick and silly post about a weird exploit situation

Nov 20, 2024

CVE-2024-8956, CVE-2024-8957: How to Steal a 0-Day RCE (With a Little Help from an LLM)
7 min

Wow. Nice weapon! Can I hold it? I promise not to break anything. Honest!

Oct 31, 2024

Whatchu looking for (starring SolarWinds Serv-U - CVE-2024-28995)
15 min

SolarWinds Serv-U has given us a really good dataset for which files attackers are searching for - let’s see what we can learn!

Sep 30, 2024

BLUUID: Firewallas, Diabetics, And… Bluetooth
19 min

Where I introduce the subject of remotely identifying bluetooth devices, propose that healthcare device oversight is lacking, and exploit a firewall for no reason other than…

Aug 20, 2024

Command and Control (C2) Servers 101
7 min

The purpose of this article is simple: to make it slightly easier for the complete beginners to pivot around the topic.

Jul 18, 2024

Perma-Vuln: D-Link DIR-859, CVE-2024-0769
8 min

CVE-2024-0769 affects D-Link DIR-859 WiFi routers. All revisions, all firmware, and the product is End-of-Life (EOL) meaning it will never recieve a patch.

Jun 25, 2024

SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!
10 min

Where we track a SolarWinds Serv-U vulnerability with a new honeypot, including tricking a human attacker into making mistakes

Jun 18, 2024

What’s Going on With CVE-2024-4577 (Critical RCE in PHP)?
6 min

CVE-2024-4577 is a critical argument-injection vulnerability in PHP that affects Windows deployments and leads to a remote code execution.

Jun 13, 2024

Decrypting FortiOS 7.0.x
5 min

This article steps through decrypting FortiGate FortiOS 7.0.x firmware.

Apr 23, 2024

Panning For Gold: Sifting Through Network Logs to Write a New Tag
4 min

How do we find vulnerabilities that aren’t making the news right now? By Sifting through the sensor logs!

Mar 28, 2024

Where are they now? Starring: Confluence CVE-2023-22527
16 min

Let’s look at current exploitation of CVE-2023-22527 - a Confluence template-injection vulnerability

Mar 13, 2024

Hunting for Fortinet CVE-2024-21762: Vulnerability Research for Detection Engineering
6 min

This article steps through the process of discovering CVE-2024-21762, a non-disclosed out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy.

Mar 8, 2024

RattaGATTa: Scalable Bluetooth Low-Energy Survey
19 min

Phase 1: Using a pool of collectors to scan and connect to BTLE devices, shedding light on the intricacies of hardware, radio frequency challenges, and the importance of…

Mar 1, 2024

Code injection or backdoor: A new look at Ivanti’s CVE-2021-44529
5 min

In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened!

Feb 16, 2024

The Confusing History of F5 BIG-IP RCE Vulnerabilities
11 min

Since 2020, a bunch of different vulnerabilities have come out in F5 BIG-IP - let’s create a clean record of which one’s which, and what they mean when you see them in logs!

Jan 19, 2024

Panic!! At the YAML
15 min

An overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects

Jan 3, 2024

If You’re Going to Spray My Exploit… (CVE-2022-41800)
8 min

A look at who’s trying to exploit CVE-2022-41800 in the wild - and how!

Dec 13, 2023

Talk-A-Blog: Apache Struts2 CVE-2023-50164, File Upload Vulnerability Analysis
14 min

A new vulnerability in Apache Struts has emerged! Follow us as we take a new twist on reviewing a vulnerability writeup.

Dec 12, 2023

Don’t Leave Me on Read: The Efficacy of Dynamic Honeypots for Novel Exploitation Discovery
4 min

This article recounts GreyNoise’s usage of dynamic and responsive honeypot personas to catch recently developed exploits.

Dec 5, 2023

The Forgotten ownCloud vulnerability (CVE-2023-49105)
5 min

Another deep-dive - this time, we’ll look at CVE-2023-49105, a critical vulnerability in ownCloud’s signature-validation code permits an attacker to impersonate any user.

Dec 5, 2023

Details and Caveats for ownCloud information disclosure (CVE-2023-49103)
11 min

Explore our deep-dive into CVE-2023-49103, a critical vulnerability in ownCloud’s Graph API. We discuss the exploit, its impact on Docker installations, and our…

Nov 29, 2023

Quickly Triaging HTTP Traffic From GreyNoise’s New Hosted Sensors
7 min

Using R and Python to build a custom HTTP triage workflow for PCAPs generateed by GreyNoise’s new hosted sensor fleet.

Oct 28, 2023

Uncovering regionally targeted ICS/SCADA scanning and enumeration
12 min

Analyzing ICS/SCADA packets specifically targeting GreyNoise sensors in Israel.

Oct 11, 2023

Honeypot Location Diversity and Data Quality
5 min

GreyNoise shows how they go about provisioning honeypot sensors to achieve a view of global internet traffic.

Oct 6, 2023

⭕ Emulating and Exploiting Oracle WebLogic Server for PCap Analysis (CVE-2023-21839)
6 min

The purpose of this is not to explain how CVE-2023-21839 works, but rather how to identify it via web packet. This was a case where I, personally, found testing the PoC…

Apr 21, 2023

EdgeLord: Schrödinger’s 0-Day
22 min

At GreyNoise we work with network protocols. When a new vulnerability is published we are quick to jump into investigation mode and gather any and all resources we can find…

Mar 23, 2023

So Many Tags! So MANY Weaknesses!
1 min

You’d think being ‘limited’ to internet-exploitable vulnerabilities would reduce the set of weaknesses attackers take adavantage. And, you’d be wrong.

Mar 23, 2023
No matching items