Renseignement sur les menaces

États-Unis

13.217.95.0

FAI Amazon.com, Inc. Première vue 15/06/2026 19:24 UTC Dernière vue 15/06/2026 19:25 UTC Risque Élevé

Période analysée : 2026-05-16 → 2026-06-15

Activité suspecte — risque 62/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 68/100 Élevé

Première observation 15/06/2026 19:24 UTC

Dernière observation 15/06/2026 19:25 UTC

Événements (période) 69

MITRE ATT&CK principal T1083 36 occurrences

Activité suspecte — risque 62/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%

Confiance 59 % — Score WAF 100 · 4 tag(s) WAF

Comparaison ASN / FAI

ASN 14618 · 13.216.0.0/13 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 69 événements sur la période pour cette IP.

44.220.188.101 Sonde TLS 15/06/2026 21:04 UTC
3.84.171.111 Sonde PostgreSQL 15/06/2026 21:03 UTC
18.220.92.255 Sonde PostgreSQL 15/06/2026 20:27 UTC
18.116.242.148 Sonde SIP/VoIP 15/06/2026 20:21 UTC
3.19.255.73 Tentative d'exploit 15/06/2026 19:48 UTC
35.95.58.130 Tentative d'exploit 15/06/2026 19:40 UTC
52.14.24.45 Sonde PostgreSQL 15/06/2026 19:33 UTC
3.137.139.70 Sonde PostgreSQL 15/06/2026 19:25 UTC

Événements (filtres)

Première observation

15/06/2026 19:24 UTC

Dernière observation

15/06/2026 19:25 UTC

Dernière activité (filtres)

15/06/2026 19:25 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Amazon.com, Inc. 0 Port 5000 exploit_attempt

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

lfi path traversal · via HTTP:5000 · (tentative d'exploit) · → /build/static/js/main.js

Détails protocole

Méthode: GET
Chemin: /build/static/js/main.js
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 S…

Aperçu payload

GET /build/static/js/main.js HTTP/1.1 connection: close accept: */* user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App

Port / service

5000 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 59 % — 4 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

CRS-930100-sub

Confiance

59%

Famille de menace

path_traversal

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

69 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

69 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 19:25:08 UTC	TCP	5000 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5000 · (tentative d'exploit) · → /build/static/js/main.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /build/static/js/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /build/static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /build/static/js/main.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 62 Confiance : Confiance 59 % — 4 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /build/static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /build/static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) GET /build/static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "2fea438411350aaa22eca6b878fcf14f334121cf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.322863426701253, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fa2cc0c4c4a90109ea9fb4fe9044781e9ac1ae31", "event_fingerprint": "a6ecb495c515722e3589673d69ed3c8623f0d184", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 62 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "b58493133a561f3a5d2fb39431f2bb55", "path_pattern_hash": "a790de344aaa577134cce822349757aa" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "GET", "path": "\/build\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "GET", "path": "\/build\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7311c2165171ee00cef417172680c5d04a76d1e7", "protocol_details": { "http_method": "GET", "http_path": "\/build\/static\/js\/main.js", "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/static\/js\/main.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/build\/static\/js\/main.js", "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/static\/js\/main.js", "evidence_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:07 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /dist/app.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /dist/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /dist/app.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /dist/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "80c1b326643ad4cf914c23b0daaa56b99c67d699", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.31223397601015, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "952dfcff660907559e64bf9bfb1532155ffc2707", "event_fingerprint": "e95f4e2cab2aa13754647a763e841a23fea06618", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "1706b1a7784390ddf9cefad2a25bb995", "path_pattern_hash": "e3f6cb527411defb60f79b43484777b4" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/dist\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/dist\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "11e925ceacd0bdaf0d3a0d228afcb06d585a2ec2", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/app.js", "request_line": "GET \/dist\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/app.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/app.js", "request_line": "GET \/dist\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/app.js", "evidence_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:07 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /dist/bundle.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /dist/bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /dist/bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /dist/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "3d397e6fbe672925768a4cfd837b08ea7ca46b1d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.324819188266564, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "952dfcff660907559e64bf9bfb1532155ffc2707", "event_fingerprint": "12b5efaa7e795d68cb278eeb79b3140cd97c75df", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "64b692192e6439ae9c9b38dd37494b7d", "path_pattern_hash": "332be6dcf184549b4552979b3430af1c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/dist\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "request_sample": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/dist\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "request_sample": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "281eb105765050b78145c2ef91b9ac6f515a3b66", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/bundle.js", "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/bundle.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/bundle.js", "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/bundle.js", "evidence_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:06 UTC	TCP	5000 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5000 · (tentative d'exploit) · → /static/js/bundle.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /static/js/bundle.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /static/js/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "7329621044caa2d842a67aad97d334b615e98fcf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.321195615643454, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "6f6e09edb80c4db1b5bb7418d4c0cfe904822bf2", "event_fingerprint": "8e9495cbc008f5d34a8074044c766ff8aa6c133a", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "5c589ba26cf8d0fbb45c5116001d2231", "path_pattern_hash": "37a8a2a265c348a8f41010337fca565b" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "method": "GET", "path": "\/static\/js\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "request_sample": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "method": "GET", "path": "\/static\/js\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "request_sample": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6cb2686a1aee4e83a694a6a11f725e042d9d8859", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/bundle.js", "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/bundle.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/bundle.js", "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/bundle.js", "evidence_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:06 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /dist/main.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /dist/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /dist/main.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /dist/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "a207d7eb5fb0981149fd0c78299aa17c839e981c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.312352950477704, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "952dfcff660907559e64bf9bfb1532155ffc2707", "event_fingerprint": "7ac4f270f2e4de4c72679aabc285565bf66a05d4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "d3af71013f2a0d0033b907a2e7d6da35", "path_pattern_hash": "ed890272e7383054c69c77a023519696" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/dist\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/main.js HTTP\/1.1", "request_sample": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/dist\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/main.js HTTP\/1.1", "request_sample": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1facb8a7fafa629823bddfa4ec90a8ddadc18d2", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/main.js", "request_line": "GET \/dist\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/main.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/main.js", "request_line": "GET \/dist\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/main.js", "evidence_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:05 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /chunk.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /chunk.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /chunk.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /chunk.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /chunk.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /chunk.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /chunk.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "8b5f91c8c78dc829917a893f6740765aaa522059", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.321829828784551, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "e5502a3ce7fa446932293bd1efc9f45b7143ad9f", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "ac6279f94351868969a4c730eeacc041", "path_pattern_hash": "c042b14a5bc38b8396557d7753d97abe" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/chunk.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/chunk.js HTTP\/1.1", "request_sample": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/chunk.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/chunk.js HTTP\/1.1", "request_sample": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b9b120f2cfa573e5f328e68d7e9c016b00691599", "protocol_details": { "http_method": "GET", "http_path": "\/chunk.js", "request_line": "GET \/chunk.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/chunk.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/chunk.js", "request_line": "GET \/chunk.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/chunk.js", "evidence_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:05 UTC	TCP	5000 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5000 · (tentative d'exploit) · → /static/js/main.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /static/js/main.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "fc1209930d53479f9de40769306d0e03c0e12113", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.304036561576188, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "6f6e09edb80c4db1b5bb7418d4c0cfe904822bf2", "event_fingerprint": "4bbe494e7832030bab7cda24f6cd963f9ec15585", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "b1269cdf8873488eb413c1205c1e4ac8", "path_pattern_hash": "d7eccad93f9f7ba9883784f3d98302b8" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48a1365619e0be34b4252e492fde32034cbc0859", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:05 UTC	TCP	5000 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5000 · (tentative d'exploit) · → /static/js/app.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /static/js/app.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /static/js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "2e8487d6ca226d333a0e0e427de3a57a117c9672", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.303722498400817, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "6f6e09edb80c4db1b5bb7418d4c0cfe904822bf2", "event_fingerprint": "d1afae3660b4b9078dff45998029f799aee0154f", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "3e74954456300e838c9567369f1104c6", "path_pattern_hash": "02ccc7d3f44ece92b2d30ec0bac374d7" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e0f0f8c5c173bd9dd9b46458a6198c38d117f42", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:04 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /main.bundle.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /main.bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /main.bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /main.bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /main.bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /main.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /main.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "62b8af91235b91d92c321592c9d4f9b0f26f8be3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.322785488761249, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "6d3070ef31b0249512464c9207764bede563e6d9", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "c58c48345e09bd89df2bbea6d8fcf8f9", "path_pattern_hash": "656f2faabb66b2f56a51454a38dd35c2" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/main.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.bundle.js HTTP\/1.1", "request_sample": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/main.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.bundle.js HTTP\/1.1", "request_sample": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb32d2632194ff53295988cea38bcea82785aaec", "protocol_details": { "http_method": "GET", "http_path": "\/main.bundle.js", "request_line": "GET \/main.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.bundle.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/main.bundle.js", "request_line": "GET \/main.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.bundle.js", "evidence_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 19:25:04 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /vendor.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /vendor.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /vendor.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /vendor.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /vendor.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /vendor.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /vendor.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "316afc872612db004e32c0c28eb31fa0ffa9d99f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.325952736326974, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "7250ee5daf5617deaed6a1951caee651f7b40714", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "6521b9ee555519f87342e76d5debdbfc", "path_pattern_hash": "f35dd6fdee49d3b9a2bf908182db17ec" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/vendor.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/vendor.js HTTP\/1.1", "request_sample": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/vendor.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/vendor.js HTTP\/1.1", "request_sample": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3301e5c7a68434281f5b0ee3cc655fa93b93a5f", "protocol_details": { "http_method": "GET", "http_path": "\/vendor.js", "request_line": "GET \/vendor.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/vendor.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/vendor.js", "request_line": "GET \/vendor.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/vendor.js", "evidence_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:03 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /server.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /server.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /server.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /server.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /server.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "9d9a790905bbaa9bf7477bf649ea86123ade8583", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.317235138525459, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "50ecc60a758e2604eaec0ccbc1c2f65acc7606e9", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "b767caa68b93b2aecf2fa734f5d1b179", "path_pattern_hash": "10460208544c084cff624f51fd25d0f9" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/server.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.js HTTP\/1.1", "request_sample": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/server.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.js HTTP\/1.1", "request_sample": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d8e5b85effb7b2b793f74487b5b69b5c25e27e0", "protocol_details": { "http_method": "GET", "http_path": "\/server.js", "request_line": "GET \/server.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/server.js", "request_line": "GET \/server.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.js", "evidence_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:03 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /bundle.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "5c28bc6707fadbc1c6dacdabca89ac4afb276d6a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.325345504350776, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "0f3e1c43a2e8d3eabb90f84f038750af17e81c74", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "e34f8a785b07f56cabbcc194d8741794", "path_pattern_hash": "59bff92e27ba3df61892a035edfe8dbf" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d6f60a3335fd255c9d732111f8092b82fe8ebdfc", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:03 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /app.bundle.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /app.bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /app.bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /app.bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /app.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "0af46f5a2803132335577023b795bcd61e1c7dba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.322775327896321, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "044eb21bcece7eacd5fbd79011999a94d6a93442", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "76616ca09b56fbba455ecbe2f69e53eb", "path_pattern_hash": "dbac0f56de5385be27bb738f2b1ee1a3" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/app.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.bundle.js HTTP\/1.1", "request_sample": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/app.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.bundle.js HTTP\/1.1", "request_sample": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b77f7a9de79a1b7c7657f531862caec1a0c2bd33", "protocol_details": { "http_method": "GET", "http_path": "\/app.bundle.js", "request_line": "GET \/app.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.bundle.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.bundle.js", "request_line": "GET \/app.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.bundle.js", "evidence_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:02 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /main.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /main.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "e46ea72cce1cadb614d3abac8b75f00e6bad53c9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.310117516621496, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "e0fd1d81799f501a7d1cc4ad6a8cafb880e172c6", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "11951b7de6360400b13e7d175599b95e", "path_pattern_hash": "6767bab1fbcedbc82a67330f1c9f7602" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.js HTTP\/1.1", "request_sample": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.js HTTP\/1.1", "request_sample": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f6e45f4acbeebad67725bf7837cda3f3027d243", "protocol_details": { "http_method": "GET", "http_path": "\/main.js", "request_line": "GET \/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/main.js", "request_line": "GET \/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.js", "evidence_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:02 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /index.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /index.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /index.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /index.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /index.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "17559a94c8a0e630445c46daa059df42bac48bfa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.314395372729551, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "53cc9515577439ec6e6985c3692e9f47f762f1a0", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "9d74d142b6c68570b11bd81ec586c0cb", "path_pattern_hash": "c7d8398ecd93ef4ea30979fd952c357c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/index.js HTTP\/1.1", "request_sample": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/index.js HTTP\/1.1", "request_sample": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "07e4a148b65180d6d8c6db5011edfa59d208f4e4", "protocol_details": { "http_method": "GET", "http_path": "\/index.js", "request_line": "GET \/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/index.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/index.js", "request_line": "GET \/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/index.js", "evidence_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:01 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /cdp_api_key.json	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /cdp_api_key.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /cdp_api_key.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /cdp_api_key.json Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /cdp_api_key.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /cdp_api_key.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /cdp_api_key.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "89445e7a630dbf79c7d860741e6b00d79601f5e5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.3543900177803945, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "c6215e551d7aa30558a825f33f99fd49373b51af", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "fffb4c18aa4549515632534c4bea0bae", "path_pattern_hash": "d5e29afe6c443319602b7904511fc8de" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/cdp_api_key.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "request_sample": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/cdp_api_key.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "request_sample": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d17e5d09209bdf4d5a4f756b443a94ea21179f02", "protocol_details": { "http_method": "GET", "http_path": "\/cdp_api_key.json", "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cdp_api_key.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/cdp_api_key.json", "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cdp_api_key.json", "evidence_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:01 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /app.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /app.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "3c179370f0c2d0a7e227f65dd60b7b4aa8a5177f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.309269177913606, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "b58ce801611308747f65f60b8a5f2dd74afbda16", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "82cd540c47cf450689c2de3f95b6bbf4", "path_pattern_hash": "d5e8a067e9f2ac7b37dd1c869137e3f0" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.js HTTP\/1.1", "request_sample": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.js HTTP\/1.1", "request_sample": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "adb496a5f32717dc5f846ff4a33afceb7767a18c", "protocol_details": { "http_method": "GET", "http_path": "\/app.js", "request_line": "GET \/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.js", "request_line": "GET \/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.js", "evidence_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:00 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /settings.json	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /settings.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /settings.json Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /settings.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "bf7030628c229b3e041c7e1c251921a9918e64a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.296382646830572, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9a0e9dcf4a5ed1ef66ecccbad9d74e5098affd9a", "event_fingerprint": "edd1d7439ae6d79d4bca8b9fd0ed5ff556850722", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "1042dbd58928a84f2062ae98426df127", "path_pattern_hash": "77c44ac5d0e9de12fccd3bb6237f7ba5" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df04a630028a3045afd8c3056f5689b6d6f16713", "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 72 }
15/06/2026 19:25:00 UTC	TCP	5000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:5000 · (tentative d'exploit) · → /secrets.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /secrets.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe net_web_probe Cible HTTP GET /secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /secrets.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "9906f032745691753325e07cb911e68c17846b5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.289821356017296, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "71de05a2fac4ff197e2afc5d96a93e2d452a8ca1", "event_fingerprint": "cad491fd7c1e78dcf80260f23dab51bbc2c7c3b9", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "222adf71fb866bbb5796e837cb7d4e99", "path_pattern_hash": "1abd330c58113f23df400bb25a78bd81" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "70119e4e2e7db19c63b3ab35fc60a022d40ae2c5", "protocol_details": { "http_method": "GET", "http_path": "\/secrets.json", "request_line": "GET \/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "credential file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/secrets.json", "request_line": "GET \/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.json", "evidence_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:25:00 UTC	TCP	5000 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:5000 · (tentative d'exploit) · → /credentials.json	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /credentials.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Risque capteur Moyen · 54 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /credentials.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /credentials.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "52ce12cd9608e2aaf265869963eb9ccc97689fda", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.295276964685486, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b863f51baf1919c4fc983e5f24f02849755fd8a6", "event_fingerprint": "5ad8f07f7eb51e92caa530894470f5eea9e3db04", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "ec54a6c176284855a04a0f3429196f31", "path_pattern_hash": "2c897236c88b33a0e02927235471c8c3" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc190c39a0f3eae5a133457d735e822014afae6d", "protocol_details": { "http_method": "GET", "http_path": "\/credentials.json", "request_line": "GET \/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "credential file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/credentials.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/credentials.json", "request_line": "GET \/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/credentials.json", "evidence_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:59 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /config.json	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /config.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 53 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive pat-0247 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /config.json Ligne de requête `GET /config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /config.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "110dc2bb220538a9df6ea13fd8474a5056c773dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.307700276071955, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "59c05bbade422e223f1ccd5cbd81d744c525e44c", "event_fingerprint": "b729c78b547c31c88e24241400b988a09b8396bc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 182, "precision_signals": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0247" ], "matched_pattern_names": [ "Probe \/config.json" ], "pattern_ids": [ "pat-0247" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "7e690d286efcb40b745527e17ba1b44c", "path_pattern_hash": "b2ebf86a95e6e198c8d34ea73388c4ce" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc3df3cf573b78f0119cd755f650ccd66018e311", "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "pat-0247", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 19:24:59 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /settings.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /settings.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /settings.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /settings.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /settings.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "600a07472be074279f73e485903b746a3072d617", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.301917267117301, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "d3ea8d24d54353198376f2c0fe5e98cb20d5d1c5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "aee9d5812f187c47c2486fe24d9d4a94", "path_pattern_hash": "1bfd7de8f2b794aaf55add02ed38d00c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/settings.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.js HTTP\/1.1", "request_sample": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/settings.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.js HTTP\/1.1", "request_sample": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8fc5aeac005cae3842251d17e96473562f41e9bd", "protocol_details": { "http_method": "GET", "http_path": "\/settings.js", "request_line": "GET \/settings.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.js", "request_line": "GET \/settings.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.js", "evidence_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:58 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /docker-compose.dev.yml	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.dev.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.dev.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /docker-compose.dev.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.dev.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.dev.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl Requête brute (extrait) GET /docker-compose.dev.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "7ee3e2436a44816af2348c3ec543a3fd946c2f9e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.33362986574046, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "9ffd02df1087ad86a37e2e81ea84ff45ea1d869f", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "f00f21ae6c8cc9d45ff368267f548d0a", "path_pattern_hash": "44551548ed702b85048d052da6b4f350" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "method": "GET", "path": "\/docker-compose.dev.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "evidence": { "method": "GET", "path": "\/docker-compose.dev.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2bea06ce18d7864becc85065cc1d4dba1884fc4", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.dev.yml", "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.dev.yml", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.dev.yml", "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.dev.yml", "evidence_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:58 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /docker-compose.prod.yml	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.prod.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.prod.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /docker-compose.prod.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.prod.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.prod.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) GET /docker-compose.prod.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "e0f4d8c475ba7860adfbc6fce1ef729836b642b1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.319126616686176, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "d410645b952869ad8e5e114e91f3e77145d97d91", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "2509f697332bb35e4ea7f74962acf92f", "path_pattern_hash": "34e7c48d3a24d0769f43576d3e67ea74" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "GET", "path": "\/docker-compose.prod.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "GET", "path": "\/docker-compose.prod.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a2114b3a5ea6c64757253ba2371545c555d448f", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.prod.yml", "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.prod.yml", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.prod.yml", "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.prod.yml", "evidence_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:58 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /config.js	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /config.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /config.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /config.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "67b3179b286c960b4be84ff433764afe1a997eeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.31430710520765, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "c36fa9951560c0e7d6d0b6af42b52f3afedc70e4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "41ed3808d92e733db8edbe162253a740", "path_pattern_hash": "0ad09149f0572f6cdaf5a224970ea0d2" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df43317d2083a1f08d3641cd99877b8ba1c35bfb", "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:57 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /docker-compose.yaml	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.yaml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /docker-compose.yaml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /docker-compose.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "3bbb8fd589a1c6561445293d25ec31c27a2956aa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.321581274444987, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "da463818c974d24c8f73b4042403fabaee0efcec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "d9b6c6e7f04340b52c1742b86251a4a8", "path_pattern_hash": "d91024f4d52a5546d3cddb98775be9d6" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "method": "GET", "path": "\/docker-compose.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "request_sample": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "method": "GET", "path": "\/docker-compose.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "request_sample": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da1ff584183b1683cb403e44d08a6658080f8438", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yaml", "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yaml", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yaml", "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yaml", "evidence_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:57 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /docker-compose.override.yml	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.override.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.override.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /docker-compose.override.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.override.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.override.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Requête brute (extrait) GET /docker-compose.override.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "d8b1323b6ef8c906588c7bebedb55eb8820ae5d1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.32257269415453, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "02bc2e8e97418d3b3d56cc31462d7ea85b2d6779", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "c9f7ce1ca89a4cfda622a3433681e149", "path_pattern_hash": "eaee3b34be9f0e8721a1e0c8de81e82c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "method": "GET", "path": "\/docker-compose.override.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "evidence": { "method": "GET", "path": "\/docker-compose.override.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44f534d8779877e07e7598b671dadaf9619ee661", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.override.yml", "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.override.yml", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.override.yml", "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.override.yml", "evidence_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:56 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /var/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /var/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /var/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /var/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /var/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /var/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /var/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "7f1fb2a1c5b72e520b988cd8c8a970a6662732b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.3069409719854255, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "0cbdcc7c0d3dead2a9a4311fd2cf04f83cff4146", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "68316abea5f2b8e990c1fede564da04b", "path_pattern_hash": "0d0f9087dce4407a1a8d5052b0a9d1bf" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca2b78a48051ec53173c6ede747365d9b4b8521d", "protocol_details": { "http_method": "GET", "http_path": "\/var\/.env", "request_line": "GET \/var\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/var\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/var\/.env", "request_line": "GET \/var\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/var\/.env", "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:56 UTC	TCP	5000 · HTTP	http	Scan vulnérabilités scanner vuln · via HTTP:5000 · (sonde / probe) · → /docker-compose.yml	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /docker-compose.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /docker-compose.yml Service HTTP Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 46 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0251 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Probe /docker-compose.yml Ligne de requête `GET /docker-compose.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb Requête brute (extrait) GET /docker-compose.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "284ed5c0f139fefe102f54c41fbd64a2a9a5ffd9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.321677565330133, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "7c0843704b36630537a0c9fbb566bca26008c241", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "pat-0251" ], "kb_rule_ids": [ "pat-0251" ], "matched_patterns": [ "pat-0251" ], "matched_pattern_names": [ "Probe \/docker-compose.yml" ], "pattern_ids": [ "pat-0251" ], "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "http", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "461ca08733cb8e3ae9c51a2d097974e5", "path_pattern_hash": "96d32e90d2f8019607590c30e27c0bff" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "evidence": { "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "24c3397d759e691e73d2be87003788802d9f2987", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/docker-compose.yml", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 46, "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "pat-0251" ], "tags_summary_labels_fr": [ "pat-0251" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/docker-compose.yml", "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:55 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /web/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /web/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /web/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /web/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /web/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /web/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /web/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "47bcdedb3b954688023f733564a003e944c34a32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.30781206336447, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "f25cf21e5e74211a75f1ca5a0f77827e885f7902", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "6cc79f3e3b51161adb13aae15b216bff", "path_pattern_hash": "d80a28198e7c3b2ce080248f274b9024" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31be027bd76b054605172242bdd4b6e7b6bb527a", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:55 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /public/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /public/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /public/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /public/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /public/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /public/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "bc9ca66c038b10c68f8dffc886361c52fc1ac680", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.311763470040603, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "e1673a77a616ec2ba73154ca38a9d4b40c550b73", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "526fd492ae4fd7ede85f430d1bd5c2da", "path_pattern_hash": "6cf746da949d58c839550a31197db646" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51f913dd8297d714e6a7a32374c69cf320d7a5ff", "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:55 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /private/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /private/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /private/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /private/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /private/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /private/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "42ecb4d5f4be7b556e157ee15a288da92dfb0e45", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.301632026486534, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "29a96213f0a39708c6e6c9812ff40cf112d963d8", "event_fingerprint": "9662c6d2338d85c0e20dc6e0906ec10230ab7c54", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "aeca4de265cb46f98772949141d8bc2f", "path_pattern_hash": "467844c5e65593cac952660a5e740364" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/private\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/private\/.env HTTP\/1.1", "request_sample": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/private\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/private\/.env HTTP\/1.1", "request_sample": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e9bc154032e9f9f30f795fb62ade2afcc759cb5", "protocol_details": { "http_method": "GET", "http_path": "\/private\/.env", "request_line": "GET \/private\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/private\/.env", "request_line": "GET \/private\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env", "evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_private", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:54 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /server/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /server/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /server/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /server/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /server/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /server/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "394e130162f84b369da768999af4d972a2c7e141", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.297979307580629, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "a62b7a0196617ecce73ad7049d89a41d9c24eaea", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "41f036db90f1b628922ad48b7ed61494", "path_pattern_hash": "54554b038eab677020ee0c0c2a53bac1" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/server\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env HTTP\/1.1", "request_sample": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/server\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env HTTP\/1.1", "request_sample": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5de4b5ba1fe155b960921f06559c892c695bb62a", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env", "request_line": "GET \/server\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env", "request_line": "GET \/server\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env", "evidence_snippet": "GET \/server\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:54 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /client/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /client/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /client/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /client/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /client/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /client/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /client/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "aa094ac9b0963fceefe47f51ee0dc734bd299416", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.283202035680344, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "9e154c05dfcd70653a0e5da4cfceb8a1b7b7b6c7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "e8cbe7c0f211ad6e3ca722ca1af34156", "path_pattern_hash": "e9186ae330a383b32843f25c5a42904b" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/client\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/client\/.env HTTP\/1.1", "request_sample": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/client\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/client\/.env HTTP\/1.1", "request_sample": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c048c5a060b4b5e44fd8fe0c1915c44067dea971", "protocol_details": { "http_method": "GET", "http_path": "\/client\/.env", "request_line": "GET \/client\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/client\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/client\/.env", "request_line": "GET \/client\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/client\/.env", "evidence_snippet": "GET \/client\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:53 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /backend/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /backend/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.308745181597599, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "a8fac9c4144bd6c22f84b4a7c8878783988156e7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "159deef35f596bea238f1c899cf4664c", "path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca64f73bd111354749dcbfef08a87395fe1a008a", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:53 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /frontend/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /frontend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /frontend/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "77987435bb3ae079ceddf1be0ca83f10bd79e60f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.301372951048668, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "7ae75540bab610171004a2e3a6158b650ca0c28d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "c61dbe8ef57a29ffe47eb14c48b9d01a", "path_pattern_hash": "2eb92b74c9200f7bfafce81d1b6d362c" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env HTTP\/1.1", "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env HTTP\/1.1", "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2b5de66baa03d3ebc017a32a09e7b0f3bbfef901", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env", "request_line": "GET \/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env", "request_line": "GET \/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env", "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:53 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /api/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /api/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /api/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.29554041108447, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 9, "anomaly_count": 0, "campaign_key": "952dd82dd258f78dcc790968b559aad5eca1982d", "event_fingerprint": "f71ea8bada5abcfbb8c7694768d132b1f0a89b0d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "13278252735c768a472a43246dd55d89", "path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0d3cd62cfac6835c45706c56f7d6e13dc76cab2", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env", "request_line": "GET \/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env", "request_line": "GET \/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env", "evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:52 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /src/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /src/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /src/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /src/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "0c533120cce5f9ceabf0223e76a6dc86fc19a74f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.297954489487256, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "efef7217fd61b39f77f79feebaf5475834148a78", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "c98c2f58a28df72a45f5e24cb6d608b5", "path_pattern_hash": "1be4509071ea53617b7e83d68c291bb4" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/src\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/src\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b13c8f11e4090cae35c17cd9729a83364f24d94", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:52 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /config/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /config/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /config/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /config/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /config/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /config/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "867074af7203ec5cf6b039823237b28edf1066aa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.303473548840358, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "9a13b49e54bb0b7c18ebb1e54a7aaf39ee196f95", "event_fingerprint": "8d12d4dec650ae798be0504cf066ace9e7ef79a2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "c5c701653c0a2b542498d4095fbaa252", "path_pattern_hash": "2aaa158af561315bc9004215c1f06852" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/config\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env HTTP\/1.1", "request_sample": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env HTTP\/1.1", "request_sample": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e0587404fbae0e14a512c6059b7e3a1e8805a2a7", "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env", "request_line": "GET \/config\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env", "request_line": "GET \/config\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env", "evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_config", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:51 UTC	TCP	5000 · HTTP	http	Scan vulnérabilités scanner vuln · via HTTP:5000 · (sonde / probe) · → /env.js	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /env.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /env.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /env.js Service HTTP Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 46 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0254 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Probe /env.js Ligne de requête `GET /env.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /env.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "fd6ac8a28596d70c381f3264e18c90d328ca820b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.317988350442775, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "44cc9ee82393b7baaa05c5d6f4c28fb55830a03f", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "pat-0254" ], "kb_rule_ids": [ "pat-0254" ], "matched_patterns": [ "pat-0254" ], "matched_pattern_names": [ "Probe \/env.js" ], "pattern_ids": [ "pat-0254" ], "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "http", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "82cf84baf1d6b49f99d042fd3da81b74", "path_pattern_hash": "e31c80b0fb8251ad89f61b405be7ec35" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/env.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.js HTTP\/1.1", "request_sample": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/env.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.js HTTP\/1.1", "request_sample": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "01c022dcdce61f7a0e5ffb1f73c04bd43f9651c9", "protocol_details": { "http_method": "GET", "http_path": "\/env.js", "request_line": "GET \/env.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env.js", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 46, "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "pat-0254" ], "tags_summary_labels_fr": [ "pat-0254" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/env.js", "request_line": "GET \/env.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env.js", "evidence_snippet": "GET \/env.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:51 UTC	TCP	5000 · HTTP	http	Scan vulnérabilités scanner vuln · via HTTP:5000 · (sonde / probe) · → /env.json	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /env.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /env.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /env.json Service HTTP Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 46 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux pat-0254 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Probe /env.js Ligne de requête `GET /env.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /env.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "2f4402571337da5058699f0cd54fddbd3fc59e3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.311825833831586, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "a95a52fb8b523072fa63a93a61a20e41477c0f26", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "pat-0254" ], "kb_rule_ids": [ "pat-0254" ], "matched_patterns": [ "pat-0254" ], "matched_pattern_names": [ "Probe \/env.js" ], "pattern_ids": [ "pat-0254" ], "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "http", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "d7e29fef3786a523aed3c2ef35453efc", "path_pattern_hash": "7501c09095d2ee8d9c0f3775ef7c93ef" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/env.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.json HTTP\/1.1", "request_sample": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/env.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.json HTTP\/1.1", "request_sample": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b157232867558f291dfbcfeda3c25499235db2c2", "protocol_details": { "http_method": "GET", "http_path": "\/env.json", "request_line": "GET \/env.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env.json", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 46, "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "pat-0254" ], "tags_summary_labels_fr": [ "pat-0254" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/env.json", "request_line": "GET \/env.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "scanner vuln \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env.json", "evidence_snippet": "GET \/env.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:51 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /app/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /app/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /app/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /app/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "628b9cb47d9f8d6e8fddc1b7d3cebf1133d17f4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.299127183274567, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "8d36a3619af291e4c61d081c90948c162a790d3f", "event_fingerprint": "bb56b3140b81d51a49f937206b3bbb3efb1fbebc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "054df181a3fc000d3bfa7da87d300398", "path_pattern_hash": "6215588c522bb159cbcefac1cb9fb1de" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cd22b44851b38ecdd51a3922a96589a0c7bc27bb", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env", "request_line": "GET \/app\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env", "request_line": "GET \/app\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env", "evidence_snippet": "GET \/app\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:50 UTC	TCP	5000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5000 · (tentative d'exploit) · → /.flaskenv	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /.flaskenv UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.flaskenv TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.flaskenv Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.flaskenv HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.flaskenv HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /.flaskenv HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "flaskenv", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "fee720c7b20ac5bd390dda3bdf53d5a723c8b2c1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.312519310959212, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "e5c0044772a7a5788a407e13575b84ae71399757", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "b9ae751b1d8d881f4706e0d27f11130b", "path_pattern_hash": "8a1bc965b661f35ab8ff32c14829976d" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/.flaskenv", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.flaskenv HTTP\/1.1", "request_sample": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.flaskenv", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.flaskenv HTTP\/1.1", "request_sample": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37bc6c4b96cd8311045a90e76f37322e8e1315a5", "protocol_details": { "http_method": "GET", "http_path": "\/.flaskenv", "request_line": "GET \/.flaskenv HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.flaskenv", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.flaskenv", "request_line": "GET \/.flaskenv HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.flaskenv", "evidence_snippet": "GET \/.flaskenv HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
15/06/2026 19:24:50 UTC	TCP	5000 · HTTP	http	probe env probe env · via HTTP:5000 · (sonde / probe) · → /env	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_probe_env net_web_probe Cible HTTP GET /env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /env Service HTTP Pourquoi cette classification : Type « probe_env » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — 2 tag(s) WAF Protocole émulé 1 Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "ebac263a482818b6e7a922df98cc560bbc808a0a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 201, "payload_entropy": 5.304137742951178, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7709a3600aabfa2390c7ca04bf59375b8796ff41", "event_fingerprint": "2d600b175d37fb837e98ca69f2f259c6714c8872", "classification_reason": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "bf7e8392d82a4a94496140a8978c5225", "path_pattern_hash": "1a3ee8c5f071bd935c8a12206727587a" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "370e61b41cb4cd90da0196baa603a97e8e05529b", "protocol_details": { "http_method": "GET", "http_path": "\/env", "request_line": "GET \/env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "probe env \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab probe_env \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 50, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/env", "request_line": "GET \/env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe env \u00b7 via HTTP:5000 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env", "evidence_snippet": "GET \/env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_env", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:49 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.env.development.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env.development.local UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.development.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.env.development.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.development.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl Requête brute (extrait) GET /.env.development.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "44b27fcf42134edd5dc872c2c6f931dc026ceb76", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.284207927937852, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8f72cab2f471c1c3759498248c1ba7ba0d7b2337", "event_fingerprint": "c8aca40dfee2aa48cb7f9c0149142befe3004022", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "3ee33fd92f10fddeb04eef814fb44346", "path_pattern_hash": "66b5346fea2c0f881a6004f5150ea85e" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "evidence": { "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "116f66dee0204a1bc2f3aa32bee9981b7472aaac", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development.local", "request_line": "GET \/.env.development.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env.development.local", "request_line": "GET \/.env.development.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local", "evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:49 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.env.test.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env.test.local UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.test.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.env.test.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.test.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.test.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Requête brute (extrait) GET /.env.test.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "7037545cd402c24a5b36416f2296a29dfb758ccf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.27363344966934, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8f72cab2f471c1c3759498248c1ba7ba0d7b2337", "event_fingerprint": "d936bd06630ae5e65963a2cbf1f7e3fd77416006", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "eca7651fc1dc0f188b28666e6fc0fd6f", "path_pattern_hash": "dcacd6523bc1054dd8758815dd403309" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "method": "GET", "path": "\/.env.test.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test.local HTTP\/1.1", "request_sample": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "evidence": { "method": "GET", "path": "\/.env.test.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test.local HTTP\/1.1", "request_sample": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cf51b516e8f64960887c722e0c67b49c430d71b", "protocol_details": { "http_method": "GET", "http_path": "\/.env.test.local", "request_line": "GET \/.env.test.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test.local", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env.test.local", "request_line": "GET \/.env.test.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test.local", "evidence_snippet": "GET \/.env.test.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:49 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.envrc	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.envrc UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.envrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.envrc Service HTTP Pourquoi cette classification : Type « config_file_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 52 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak pat-0191 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.envrc HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.envrc HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /.envrc HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "envrc", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "498486b1d706a2a0fe94008215d5c4adec1c4f26", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.29947275498456, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1e51b1a6ebaa068d5d6711d2d4024983fa0fa384", "event_fingerprint": "30358c30230dbdbcdebc22d49807a5e02ac4c929", "classification_reason": "Type \u00ab config_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 143, "precision_signals": [ "SIGMA-web-config-leak", "pat-0191" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "pat-0191" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "dee2f1681daea9537db395b338459e2d", "path_pattern_hash": "7cfe7b2fa6a544f498fff231b84de82d" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.envrc", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.envrc HTTP\/1.1", "request_sample": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.envrc", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.envrc HTTP\/1.1", "request_sample": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab config_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d23015c1e35205fd5fe08ba8f2ae9e4ecf9e3eec", "protocol_details": { "http_method": "GET", "http_path": "\/.envrc", "request_line": "GET \/.envrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.envrc", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab config_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab config_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "pat-0191" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "pat-0191" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.envrc", "request_line": "GET \/.envrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.envrc", "evidence_snippet": "GET \/.envrc HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:48 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.env.template	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env.template UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.template TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.env.template Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.template HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.template HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /.env.template HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "template", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "edccaea3bbb1eaacbff6973ad5f703ae60c1ddc1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.2901946095933985, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8f72cab2f471c1c3759498248c1ba7ba0d7b2337", "event_fingerprint": "054d87ec2a00fea3bfdf162c5b778cb535d6c631", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "41044ac6368247f0fed2a24350598a7d", "path_pattern_hash": "6f72c17e203141284a34bb73c6ef5765" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af0b5be2aed565610afd10e3a79fe2dedf0dd9d1", "protocol_details": { "http_method": "GET", "http_path": "\/.env.template", "request_line": "GET \/.env.template HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env.template", "request_line": "GET \/.env.template HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template", "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:48 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.env.production.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env.production.local UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.production.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.env.production.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.production.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple Requête brute (extrait) GET /.env.production.local HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "d3f1365c6401e671ba4f40a870e3ce46645aab05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.288247029350616, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8f72cab2f471c1c3759498248c1ba7ba0d7b2337", "event_fingerprint": "598e6cabee4564ab6fe7f7e74765ae5b2c62beb8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "ddcf6fb1bf8511223d3b4e25918ce0dd", "path_pattern_hash": "a0a342b9319fca95b9114c90facec319" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "evidence": { "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85816a93fe47932ff44e89f4b974f58b1a73397f", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.local", "request_line": "GET \/.env.production.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.local", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.local", "request_line": "GET \/.env.production.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.local", "evidence_snippet": "GET \/.env.production.local HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
15/06/2026 19:24:47 UTC	TCP	5000 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5000 · (tentative d'exploit) · → /.env.example	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env.example UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.example TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible /.env.example Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.example HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.example HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /.env.example HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:5000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "example", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "b3fecad1903fbad7bf672cc5a25c971b97553846", "http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.3005358880802, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 5000, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8f72cab2f471c1c3759498248c1ba7ba0d7b2337", "event_fingerprint": "6a0d4537d5e65149a426acc87d829818b0e3d7e5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "dcef19dc0165ad229b4cfe69b5727b01", "path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:5000\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20a9251aed63fb83eb6281f7293e1cd3ff4dc511", "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }

13.217.95.0

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence