Détails IP 13.217.95.0

Synthèse exécutive

Profil de menace

Score de risque 69/100 Élevé

Première observation 15/06/2026 19:24 UTC

Dernière observation 16/06/2026 12:39 UTC

Événements (période) 207

MITRE ATT&CK principal T1083 112 occurrences

Activité suspecte · risque 40/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « web_probe » (signaux protocolaires) · confiance 74%

Confiance 74 % — Score WAF 8

Comparaison ASN / FAI

ASN 14618 · 13.216.0.0/13 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 207 événements sur la période pour cette IP.

3.134.216.108 Tentative d'exploit 16/06/2026 18:38 UTC
16.58.56.214 Tentative d'exploit 16/06/2026 18:37 UTC
3.132.26.232 Sonde PostgreSQL 16/06/2026 18:33 UTC
52.74.43.180 Sonde port 23/TCP 16/06/2026 18:31 UTC
3.131.220.121 Sonde PostgreSQL 16/06/2026 18:30 UTC
3.130.168.2 Sonde PostgreSQL 16/06/2026 18:23 UTC
18.116.101.220 Sonde PostgreSQL 16/06/2026 18:05 UTC
3.129.187.38 Sonde PostgreSQL 16/06/2026 17:46 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

3.134.216.108 Tentative d'exploit
16.58.56.214 Tentative d'exploit
3.132.26.232 Sonde PostgreSQL
52.74.43.180 Sonde port 23/TCP
3.131.220.121 Sonde PostgreSQL

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

207 événement(s) — page 2/5

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 21:26:15 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /application.yml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /application.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /application.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Requête brute (extrait) GET /application.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "b5819b2c14e2e66f80448b9cafafa1033e7b1cec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.318259946437812, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0d650033cbcd8738716c52bff5bb6d2ce6f67dc4", "event_fingerprint": "99a55af75a5caf73f995463ef257343c3704a778", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "09e73b8a03244c3e77a42aa89fa6a86a", "path_pattern_hash": "18101755b44cc6d8b270134bcce32edf" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "evidence": { "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f57812322099250a4fcfa80436cb9bd4f0cbb27", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yml", "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:15 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /application.yaml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /application.yaml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /application.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /application.yaml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /application.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "1191e273c1826d3cef67d2c70d425072ebc43c59", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.315988967417743, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0d650033cbcd8738716c52bff5bb6d2ce6f67dc4", "event_fingerprint": "ba4968e8c202bd407356d9652a45407a5d047855", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "8dd6b2a3de98811eea293f2e630f9414", "path_pattern_hash": "cef87ee8c99d38579e29ea993d58f554" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "274f95664e84b6aaab61b5cf72002b11d5468df9", "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:15 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /application-dev.properties	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /application-dev.properties UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /application-dev.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /application-dev.properties Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application-dev.properties HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application-dev.properties HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Requête brute (extrait) GET /application-dev.properties HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "1c00232df0f9171cd1c8c41a2ab578caf973d6db", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.309692577404594, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "295ba76a4fac52d92d75b39903eb0cc4423a1aa0", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "ecf6bd6cc5cc1179112789294a8a1906", "path_pattern_hash": "dc582c7aa48543d5aa6765449e8f0b6a" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) ", "method": "GET", "path": "\/application-dev.properties", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application-dev.properties HTTP\/1.1", "request_sample": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "evidence": { "method": "GET", "path": "\/application-dev.properties", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application-dev.properties HTTP\/1.1", "request_sample": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f404d521dec305705be3c53e0c1295f9bd3a3b2e", "protocol_details": { "http_method": "GET", "http_path": "\/application-dev.properties", "request_line": "GET \/application-dev.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application-dev.properties", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application-dev.properties", "request_line": "GET \/application-dev.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application-dev.properties", "evidence_snippet": "GET \/application-dev.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:14 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /wp-config.php.txt	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.txt UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /wp-config.php.txt Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php.txt HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /wp-config.php.txt HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "6a0f57eb7bae6019bcd12e05a2a5a99ca0f24d82", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.339013010737147, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cdbd17b36a911538e9793cc6042c6c2a538fcfd8", "event_fingerprint": "d18b0d079cf9c9525775e5d95e35abc40fbad3ee", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "53f0e1996124cf425ddad97c6ff637d0", "path_pattern_hash": "d2b16bf79ee85d394a5f000d8ef2ea4b" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/wp-config.php.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php.txt HTTP\/1.1", "request_sample": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/wp-config.php.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php.txt HTTP\/1.1", "request_sample": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3adab28e4c5ab04615c876232f935cf39efa13da", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.txt", "request_line": "GET \/wp-config.php.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.txt", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.txt", "request_line": "GET \/wp-config.php.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.txt", "evidence_snippet": "GET \/wp-config.php.txt HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:14 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /wp-config.php~	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php~ UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /wp-config.php~ Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php~ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php~ HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /wp-config.php~ HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php~", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "863c7f3ef890e19c474d54faa2637f21aa61f24b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.356006987364611, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cdbd17b36a911538e9793cc6042c6c2a538fcfd8", "event_fingerprint": "07eef6c23f336d38eb8745310f0fdd413205f22d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "0a38344af3ae6c298829a1aa347234e7", "path_pattern_hash": "01859822ace956c1e8cfef788e43bcce" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1c3c629726390b2f19c391c92f1571784584e657", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:14 UTC	TCP	4200 · HTTP	http	probe config probe config · via HTTP:4200 · (sonde / probe) · → /config/app.php	Élevée	Moyen · 52
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /config/app.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/app.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config/app.php Service HTTP Pourquoi cette classification : Type « probe_config » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 52 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /config/app.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/app.php HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /config/app.php HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "4d388b5973ca832ef2abea7dc7b3d1d0491429b6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.3164298197912006, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4b1ed2dcc7908db8f51249bd0925a26208f77725", "event_fingerprint": "8696af37d88f29b255e48309981c82226ca2fc99", "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "cee042c468fe4ee8e3d70c0e13d61d36", "path_pattern_hash": "1bde6fec443f458560d30e82dbf9f869" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/config\/app.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/app.php HTTP\/1.1", "request_sample": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/config\/app.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/app.php HTTP\/1.1", "request_sample": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a186ce20cd2689289310b719cc957f8189707023", "protocol_details": { "http_method": "GET", "http_path": "\/config\/app.php", "request_line": "GET \/config\/app.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "probe config \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/config\/app.php", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/config\/app.php", "request_line": "GET \/config\/app.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe config \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/config\/app.php", "evidence_snippet": "GET \/config\/app.php HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config" ], "asn_dc_heuristic": true }
15/06/2026 21:26:14 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /application.properties	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /application.properties UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /application.properties Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.properties HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl Requête brute (extrait) GET /application.properties HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "e3fd46d86bb2ad69319106117f93875bff130862", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.279586082274236, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "8e2ec923ecc0d272455a1fa6a4c1a8b832616b51", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "ae0989da99bb7cec6dfe1ac58794e4ba", "path_pattern_hash": "8c4feac6bcb94afde681db33f96763e3" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "evidence": { "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5793899a20f04ecf7d0461935d06268fcbfa9e42", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:13 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /wp-config.php.bak	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.bak UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /wp-config.php.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 LFI WordPress config backup Probe /wp-config.php Ligne de requête `GET /wp-config.php.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.bak HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /wp-config.php.bak HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "0372d7102c333673ea0de9e60c73911cb60bfb5f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.345463345378602, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "ca8deb4d49530da639f70175e982d55cef71759e", "event_fingerprint": "a58a189c81b3cda6ce834795891dcdaab8c0438d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0135", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "LFI WordPress config backup", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0135", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "73abf1f2d97703272d590a68067b202d", "path_pattern_hash": "c879a1d8584c2c545f6c6bb7a9f5a061" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fbb7c20576d082ebc88ce8800c7e8ef44e64f51", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.bak", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.bak", "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:13 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /wp-config.php.old	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.old UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /wp-config.php.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.old HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.old HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /wp-config.php.old HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "24c516a67db44cfad409a699aaddb7e13edd5983", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.3364630270821864, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "ca8deb4d49530da639f70175e982d55cef71759e", "event_fingerprint": "d7696fbb58f2d57075ae0abf98f0a139281fd325", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "51e38fd165bf10dad276457f4640ab3c", "path_pattern_hash": "5fcd528564d98f34a98115294a2df668" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19eba6dd90bfc536c58a8f95bbf7e9dc508c1a8d", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:13 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /wp-config.php.save	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.save UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php.save TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /wp-config.php.save Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.save HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php.save HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb Requête brute (extrait) GET /wp-config.php.save HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "save", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "440cbf7653353c59cd0ec5c251a941c94aae51e3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.346202024229465, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cdbd17b36a911538e9793cc6042c6c2a538fcfd8", "event_fingerprint": "6dbd4f7916ebed7dfe7ff0568ee3b44d023575d2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "424b1d8af299a9aeba8c1186451c8c5d", "path_pattern_hash": "95b05a03890a8b1f9bd7471b8fc2d6d2" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "method": "GET", "path": "\/wp-config.php.save", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php.save HTTP\/1.1", "request_sample": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "evidence": { "method": "GET", "path": "\/wp-config.php.save", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php.save HTTP\/1.1", "request_sample": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "32b23b23357ac08209455fb09f356c30723a933f", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.save", "request_line": "GET \/wp-config.php.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.save", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.save", "request_line": "GET \/wp-config.php.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.save", "evidence_snippet": "GET \/wp-config.php.save HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:12 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /config.py	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /config.py UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /config.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config.py Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /config.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "37d31b2983288f908ec26b6131cac26b5c1bacbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.333192307549517, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "03ece9858bb03b8eb77316e9b8a6d3f40f4e01fd", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "03c59517e6f8f4090b9541624a262c77", "path_pattern_hash": "96ad2fe85e6dcc0e779ed46379d98575" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/config.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.py HTTP\/1.1", "request_sample": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/config.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.py HTTP\/1.1", "request_sample": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e473f97da8bda33aa81a3d71451e9fda7858919", "protocol_details": { "http_method": "GET", "http_path": "\/config.py", "request_line": "GET \/config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.py", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.py", "request_line": "GET \/config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.py", "evidence_snippet": "GET \/config.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:12 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /secrets.py	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /secrets.py UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe Cible HTTP GET /secrets.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /secrets.py Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 48 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /secrets.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /secrets.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "1a8bc8321f35e4f1b278130178bc732af3dd3e26", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.315743883416138, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14caf730c5dc400bc1bdd31b2900c53a8039014e", "event_fingerprint": "65ee55ec9b84a6643c3aa1eda5663c2505fb6ca4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "12300e05e07d283dc4c0f6cb14c7fa56", "path_pattern_hash": "5069867a23cb6033af4025098b5ffa70" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/secrets.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.py HTTP\/1.1", "request_sample": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/secrets.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.py HTTP\/1.1", "request_sample": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41282a48e1d651fe70395161cfa91f79e4ced230", "protocol_details": { "http_method": "GET", "http_path": "\/secrets.py", "request_line": "GET \/secrets.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.py", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 48 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/secrets.py", "request_line": "GET \/secrets.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.py", "evidence_snippet": "GET \/secrets.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe" ], "asn_dc_heuristic": true }
15/06/2026 21:26:12 UTC	TCP	4200 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:4200 · (tentative d'exploit) · → /config/secrets.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /config/secrets.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /config/secrets.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config/secrets.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0497 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets YAML Ligne de requête `GET /config/secrets.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/secrets.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb Requête brute (extrait) GET /config/secrets.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "839396d933f6e708a9d903cd5e6fc222b43b2e4c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.3271637208917495, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5ef7df5b96346aa5bc66e26812d3157fd301477a", "event_fingerprint": "3dfc3564a74de8da33da4f764dcf27c788e0ef2e", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0497", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0497", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0497" ], "matched_pattern_names": [ "Cred Secrets YAML" ], "pattern_ids": [ "pat-0497" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "493d0f1f8ff4e692ea3a49773387ee00", "path_pattern_hash": "924eb36a06690443e7500b480e0afb5c" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "method": "GET", "path": "\/config\/secrets.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/secrets.yml HTTP\/1.1", "request_sample": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "evidence": { "method": "GET", "path": "\/config\/secrets.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/secrets.yml HTTP\/1.1", "request_sample": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f79101f40dd416878f9a3b40ea64100875041622", "protocol_details": { "http_method": "GET", "http_path": "\/config\/secrets.yml", "request_line": "GET \/config\/secrets.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/secrets.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "pat-0497", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0497", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/secrets.yml", "request_line": "GET \/config\/secrets.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/secrets.yml", "evidence_snippet": "GET \/config\/secrets.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "http_probe_config" ], "asn_dc_heuristic": true }
15/06/2026 21:26:12 UTC	TCP	4200 · HTTP	http	probe config probe config · via HTTP:4200 · (sonde / probe) · → /config/master.key	Élevée	Moyen · 52
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /config/master.key UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/master.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config/master.key Service HTTP Pourquoi cette classification : Type « probe_config » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 52 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /config/master.key HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/master.key HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /config/master.key HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "key", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "278ef868771413556c8713a5e16fcf7c97a9fbd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.33472971386217, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4b1ed2dcc7908db8f51249bd0925a26208f77725", "event_fingerprint": "59391ddb6f0785dec4650b0b2cbbc3a7ec5aaca9", "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "6afb5443a0a5eadf1dbdfbfd655eda44", "path_pattern_hash": "b99ec2315f369daaa07f08c32272fcc3" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/config\/master.key", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/master.key HTTP\/1.1", "request_sample": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/config\/master.key", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/master.key HTTP\/1.1", "request_sample": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f3539f8026d615f53f69bea2213a1364b4c478d", "protocol_details": { "http_method": "GET", "http_path": "\/config\/master.key", "request_line": "GET \/config\/master.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "probe config \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/config\/master.key", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab probe_config \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/config\/master.key", "request_line": "GET \/config\/master.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe config \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/config\/master.key", "evidence_snippet": "GET \/config\/master.key HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config" ], "asn_dc_heuristic": true }
15/06/2026 21:26:11 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /js/app.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /js/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /js/app.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 62 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "a22d1d868692973288e25c89f766247feac6353d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.332193244286134, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9017e6b0ee303416d5bff5c60c027b574f0b3ee2", "event_fingerprint": "c1842865644075a36f7f000cb6c46898edd14f95", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "0071b6dd2f916e967ef362dc9e9e399d", "path_pattern_hash": "de7fe7d5b9603182c141cba6f00e2511" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1f8cc927ef0ab236f8b23ea8d6b2ba3d7d17154", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:11 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /js/main.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /js/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /js/main.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 62 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "552514a6107abe9547d76917c28e0d1a27e18542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.333020147667387, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9017e6b0ee303416d5bff5c60c027b574f0b3ee2", "event_fingerprint": "fc6e7524e35c0c22d4572b8e09edab60f2acd769", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "16c66b4bd88d0fc24f0167b90b8a63f1", "path_pattern_hash": "f10d571ea51fd1a0b4c78eea472da68f" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/main.js HTTP\/1.1", "request_sample": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/main.js HTTP\/1.1", "request_sample": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db4b478edf3041c77b53cfb9b741853318f829aa", "protocol_details": { "http_method": "GET", "http_path": "\/js\/main.js", "request_line": "GET \/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/main.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/js\/main.js", "request_line": "GET \/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/main.js", "evidence_snippet": "GET \/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:11 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /settings.py	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /settings.py UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /settings.py Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 56% Confiance classification 56% Risque capteur Moyen · 48 Confiance : Confiance 56 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0112 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /settings.py HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "3d04c639f33f174cecedd8e2b5ee24fd5f889511", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.32316753439197, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "aca3be11c770eb33b62dc8b61f5c947c8dc2d379", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 56%", "confidence": 0.56, "classification_confidence": 0.56, "precision_score": 66, "precision_signals": [ "pat-0112" ], "kb_rule_ids": [ "pat-0112" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 60, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 56, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "5b74cfa572fb33d4e68fc6c4dffb2bc4", "path_pattern_hash": "11cbdc1d0934c26ecc216cf25354d01f" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.py HTTP\/1.1", "request_sample": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/settings.py", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.py HTTP\/1.1", "request_sample": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 56%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "415a8358bd4d9fa936a7cb1119d555c32ae3aae5", "protocol_details": { "http_method": "GET", "http_path": "\/settings.py", "request_line": "GET \/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.py", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 56 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 56%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 56%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 56 % \u2014 via HTTP", "confidence_pct": 56, "confidence_breakdown": { "waf": 60, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 48 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "pat-0112" ], "tags_summary_labels_fr": [ "pat-0112" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.py", "request_line": "GET \/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.py", "evidence_snippet": "GET \/settings.py HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 56 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 56 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:10 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /build/static/js/main.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /build/static/js/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /build/static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /build/static/js/main.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 62 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /build/static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /build/static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) GET /build/static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "2fea438411350aaa22eca6b878fcf14f334121cf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.338902833525535, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9017e6b0ee303416d5bff5c60c027b574f0b3ee2", "event_fingerprint": "c88f3c2695fb81e74e03ad170613464454c4dbbb", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "3288bddcdf90d26862ca68d9d75d8dea", "path_pattern_hash": "a790de344aaa577134cce822349757aa" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "GET", "path": "\/build\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "GET", "path": "\/build\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96c5b6ac96637a2b1723be6fab3168ea6f1eb0e7", "protocol_details": { "http_method": "GET", "http_path": "\/build\/static\/js\/main.js", "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/static\/js\/main.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 62 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/build\/static\/js\/main.js", "request_line": "GET \/build\/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/static\/js\/main.js", "evidence_snippet": "GET \/build\/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:10 UTC	TCP	4200 · HTTP	http	probe assets probe assets · via HTTP:4200 · (sonde / probe) · → /assets/index.js	Élevée	Moyen · 52
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /assets/index.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/index.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /assets/index.js Service HTTP Pourquoi cette classification : Type « probe_assets » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 52 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /assets/index.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Requête brute (extrait) GET /assets/index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "9eebe336a2dc20ee660c2acfa0bb246dea083a23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.318681924245216, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2835cfdc02bed271065bb6758864b55d61393c75", "event_fingerprint": "67a3e17994ea5b34e2c43f908972ab9e7e147881", "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "8997392193388f56ff6fda9413bd17c8", "path_pattern_hash": "9e60e5bb2469a898889ab9e9a9ffce83" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "method": "GET", "path": "\/assets\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/index.js HTTP\/1.1", "request_sample": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "evidence": { "method": "GET", "path": "\/assets\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/index.js HTTP\/1.1", "request_sample": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8d580214a9538c471f747cf4d6d3d36e94d296f", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/index.js", "request_line": "GET \/assets\/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "attack_vector": "probe assets \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/assets\/index.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/index.js", "request_line": "GET \/assets\/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe assets \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/assets\/index.js", "evidence_snippet": "GET \/assets\/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets" ], "asn_dc_heuristic": true }
15/06/2026 21:26:10 UTC	TCP	4200 · HTTP	http	probe assets probe assets · via HTTP:4200 · (sonde / probe) · → /assets/app.js	Élevée	Moyen · 52
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /assets/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /assets/app.js Service HTTP Pourquoi cette classification : Type « probe_assets » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 52 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /assets/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /assets/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "f8c592422502488e2194b5b344edf33ad4b8757b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.312784807347442, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2835cfdc02bed271065bb6758864b55d61393c75", "event_fingerprint": "dfd440a47d4c0d402fbff6ebc23a866d6661d0ab", "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "e6a0db1ebe1261ad4ec45f6f6a6bdb84", "path_pattern_hash": "a5b9c872c9539a7390bbf552d50689cd" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/assets\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/assets\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8963fd1093feb2bed900912d0304a6e429568d2", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/app.js", "request_line": "GET \/assets\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "probe assets \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/assets\/app.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab probe_assets \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 52 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/app.js", "request_line": "GET \/assets\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe assets \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/assets\/app.js", "evidence_snippet": "GET \/assets\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets" ], "asn_dc_heuristic": true }
15/06/2026 21:26:09 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /static/js/bundle.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /static/js/bundle.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /static/js/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "7329621044caa2d842a67aad97d334b615e98fcf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.337530679736385, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "02ff0338f471624699cea0f5d2d7de33add24207", "event_fingerprint": "19bc6b87c469afdd023430ffbd2982b2eb9ba153", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "cb7fd30e90125990dd8578539a3140b8", "path_pattern_hash": "37a8a2a265c348a8f41010337fca565b" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "method": "GET", "path": "\/static\/js\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "request_sample": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "method": "GET", "path": "\/static\/js\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "request_sample": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f293190e3855b7a69525b99336679792be59c63a", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/bundle.js", "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/bundle.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/bundle.js", "request_line": "GET \/static\/js\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/bundle.js", "evidence_snippet": "GET \/static\/js\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static" ], "asn_dc_heuristic": true }
15/06/2026 21:26:09 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /dist/main.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /dist/main.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /dist/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "a207d7eb5fb0981149fd0c78299aa17c839e981c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.3292325167070675, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ad946893e63cd87c570f23541f81f527b1a9891d", "event_fingerprint": "05388e2155b251f2546b16e1d607942d485ae788", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "68f1f109e6568d52ad7099b22bbd7d66", "path_pattern_hash": "ed890272e7383054c69c77a023519696" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/dist\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/main.js HTTP\/1.1", "request_sample": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/dist\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/main.js HTTP\/1.1", "request_sample": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fa4ad002bfc2e5ed93eef058cdbe49ffdad2809", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/main.js", "request_line": "GET \/dist\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/main.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/main.js", "request_line": "GET \/dist\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/main.js", "evidence_snippet": "GET \/dist\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:09 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /dist/app.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /dist/app.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /dist/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "80c1b326643ad4cf914c23b0daaa56b99c67d699", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.329194305714293, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ad946893e63cd87c570f23541f81f527b1a9891d", "event_fingerprint": "e62758215efc7fdaea77aee2f26681faeede0d06", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "f108c1401607520a7bcecb6c7f499480", "path_pattern_hash": "e3f6cb527411defb60f79b43484777b4" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/dist\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/dist\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce0a1751f8f3633192f3bd9c6fc38a987114eb54", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/app.js", "request_line": "GET \/dist\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/app.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/app.js", "request_line": "GET \/dist\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/app.js", "evidence_snippet": "GET \/dist\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:09 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /dist/bundle.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /dist/bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /dist/bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 55 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dist/bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dist/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /dist/bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "3d397e6fbe672925768a4cfd837b08ea7ca46b1d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.341539513305084, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ad946893e63cd87c570f23541f81f527b1a9891d", "event_fingerprint": "0da107a05f36d06f9d1160d9fedc77c415acae78", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "065ce1919dec1b1b91efd8e8e9f9f00c", "path_pattern_hash": "332be6dcf184549b4552979b3430af1c" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/dist\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "request_sample": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/dist\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "request_sample": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f625cc10d7db35e22696729911a0b41b336c1921", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/bundle.js", "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/bundle.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/dist\/bundle.js", "request_line": "GET \/dist\/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/bundle.js", "evidence_snippet": "GET \/dist\/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:08 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /chunk.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /chunk.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /chunk.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /chunk.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /chunk.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /chunk.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /chunk.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "8b5f91c8c78dc829917a893f6740765aaa522059", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.339037153581475, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "5d3da6d260ff2eceff98ff010279d117f7fc64e4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "1cb4775066f0f78c02493005c586c032", "path_pattern_hash": "c042b14a5bc38b8396557d7753d97abe" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/chunk.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/chunk.js HTTP\/1.1", "request_sample": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/chunk.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/chunk.js HTTP\/1.1", "request_sample": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25d1b76623a2aaa5a117319fc731653b6abca7ff", "protocol_details": { "http_method": "GET", "http_path": "\/chunk.js", "request_line": "GET \/chunk.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/chunk.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/chunk.js", "request_line": "GET \/chunk.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/chunk.js", "evidence_snippet": "GET \/chunk.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:08 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /static/js/main.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /static/js/main.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebK Requête brute (extrait) GET /static/js/main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "fc1209930d53479f9de40769306d0e03c0e12113", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.320523579753706, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "02ff0338f471624699cea0f5d2d7de33add24207", "event_fingerprint": "6045f56d768122f7db4bc2cc04c96ea6062042fd", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "7abdedcff0396691baa2a44c8a211eb7", "path_pattern_hash": "d7eccad93f9f7ba9883784f3d98302b8" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54402f1e80736a90b8d04209ece050b15870395b", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebK", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static" ], "asn_dc_heuristic": true }
15/06/2026 21:26:08 UTC	TCP	4200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:4200 · (tentative d'exploit) · → /static/js/app.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /static/js/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /static/js/app.js Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 63 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /static/js/app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "2e8487d6ca226d333a0e0e427de3a57a117c9672", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.320286558719351, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "02ff0338f471624699cea0f5d2d7de33add24207", "event_fingerprint": "e0729716ed0b793c3c273a8837ba1041ce2e34f8", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "fa13b096ba0500a89946e975466ce8d9", "path_pattern_hash": "02ccc7d3f44ece92b2d30ec0bac374d7" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6edb4de44e6eb582a0aa221db58e92f45b49023", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static" ], "asn_dc_heuristic": true }
15/06/2026 21:26:07 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /bundle.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "5c28bc6707fadbc1c6dacdabca89ac4afb276d6a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.342469701974768, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "8b2cc2e765b3daad57af516a269aa1eca76d3bfd", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "8ea1c6c42a39d6dac049d9dbfb2f7641", "path_pattern_hash": "59bff92e27ba3df61892a035edfe8dbf" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7064fd4e8f1eab35d69798fbe8fef44fb9d3481a", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:07 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /app.bundle.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /app.bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /app.bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /app.bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /app.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "0af46f5a2803132335577023b795bcd61e1c7dba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.3395748961814675, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "92a54760f1a6663f4ea3bbf3bee5544cf0e42974", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "67e2a224cda9919ceb412166c5b3fccc", "path_pattern_hash": "dbac0f56de5385be27bb738f2b1ee1a3" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/app.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.bundle.js HTTP\/1.1", "request_sample": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/app.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.bundle.js HTTP\/1.1", "request_sample": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec3fc2ce99abcabc25dec51cfc95f440255ecd1f", "protocol_details": { "http_method": "GET", "http_path": "\/app.bundle.js", "request_line": "GET \/app.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.bundle.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.bundle.js", "request_line": "GET \/app.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.bundle.js", "evidence_snippet": "GET \/app.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 21:26:07 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /main.bundle.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /main.bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /main.bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /main.bundle.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /main.bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /main.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /main.bundle.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "62b8af91235b91d92c321592c9d4f9b0f26f8be3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.339505813799768, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "b6ee9587a3d1ba4671257f8dab97c1806bec6218", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "a5d42233d7c4e31157f55d67f36eb77f", "path_pattern_hash": "656f2faabb66b2f56a51454a38dd35c2" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/main.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.bundle.js HTTP\/1.1", "request_sample": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/main.bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.bundle.js HTTP\/1.1", "request_sample": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c9e8de899f5feb3febcd5480f5ac42a3b4c3c4af", "protocol_details": { "http_method": "GET", "http_path": "\/main.bundle.js", "request_line": "GET \/main.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.bundle.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/main.bundle.js", "request_line": "GET \/main.bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.bundle.js", "evidence_snippet": "GET \/main.bundle.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:07 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /vendor.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /vendor.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /vendor.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /vendor.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /vendor.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /vendor.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /vendor.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "316afc872612db004e32c0c28eb31fa0ffa9d99f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.343076933950965, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "b5ef0cb0d22b4bc27a45806e5b85aa31d2c369dd", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "f750490adfbd38acf361f0eb95608122", "path_pattern_hash": "f35dd6fdee49d3b9a2bf908182db17ec" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/vendor.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/vendor.js HTTP\/1.1", "request_sample": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/vendor.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/vendor.js HTTP\/1.1", "request_sample": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8b322319dc679b8f866ea360c0c1169ca87ce56f", "protocol_details": { "http_method": "GET", "http_path": "\/vendor.js", "request_line": "GET \/vendor.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/vendor.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/vendor.js", "request_line": "GET \/vendor.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/vendor.js", "evidence_snippet": "GET \/vendor.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:06 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /main.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /main.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /main.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /main.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /main.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "e46ea72cce1cadb614d3abac8b75f00e6bad53c9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.3274087795881595, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "5cc88efed21c69fd4ab45ed9f6dc31d5fbed9496", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "987823741bc87934cbb1c786a20e27a2", "path_pattern_hash": "6767bab1fbcedbc82a67330f1c9f7602" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.js HTTP\/1.1", "request_sample": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/main.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/main.js HTTP\/1.1", "request_sample": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20e672e41f809bf298ac55be9cb443d9a2f49b8a", "protocol_details": { "http_method": "GET", "http_path": "\/main.js", "request_line": "GET \/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/main.js", "request_line": "GET \/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/main.js", "evidence_snippet": "GET \/main.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:06 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /index.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /index.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /index.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /index.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /index.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /index.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "17559a94c8a0e630445c46daa059df42bac48bfa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.331602697526474, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "68b0c2e98e52e1c91bb02ec245d7e5934cc148c5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "270a0ec6db6ca534c3232ae20f53d9ab", "path_pattern_hash": "c7d8398ecd93ef4ea30979fd952c357c" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/index.js HTTP\/1.1", "request_sample": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/index.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/index.js HTTP\/1.1", "request_sample": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ba59d3af4a8273777c4ebd64eb4015072b7d74e", "protocol_details": { "http_method": "GET", "http_path": "\/index.js", "request_line": "GET \/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/index.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/index.js", "request_line": "GET \/index.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/index.js", "evidence_snippet": "GET \/index.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:06 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /server.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /server.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /server.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /server.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /server.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "9d9a790905bbaa9bf7477bf649ea86123ade8583", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.334359336149451, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "d8ef8344113ada046cadad26d42f70f56733c362", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "3305e0cb7fc80a1b5ca6e0a888fc391f", "path_pattern_hash": "10460208544c084cff624f51fd25d0f9" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/server.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.js HTTP\/1.1", "request_sample": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/server.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.js HTTP\/1.1", "request_sample": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13bd008a9f23e14abfa22bbd76c409b4f3585291", "protocol_details": { "http_method": "GET", "http_path": "\/server.js", "request_line": "GET \/server.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/server.js", "request_line": "GET \/server.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.js", "evidence_snippet": "GET \/server.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:05 UTC	TCP	4200 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:4200 · (tentative d'exploit) · → /credentials.json	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /credentials.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Risque capteur Moyen · 54 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /credentials.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /credentials.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "52ce12cd9608e2aaf265869963eb9ccc97689fda", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.31184102500402, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 54, "tag_count": 2, "anomaly_count": 0, "campaign_key": "05e05867407aba0ad533a077c707eef00cb98a4d", "event_fingerprint": "521ce8d20c8ca74a665a7f9f7452aa68b84c03c7", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 54 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "426fd5027cdfec64e76a91251d1c62cb", "path_pattern_hash": "2c897236c88b33a0e02927235471c8c3" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/credentials.json HTTP\/1.1", "request_sample": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0467652abbebbf070da4d582b756d12f203eeef8", "protocol_details": { "http_method": "GET", "http_path": "\/credentials.json", "request_line": "GET \/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/credentials.json", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 54 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/credentials.json", "request_line": "GET \/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/credentials.json", "evidence_snippet": "GET \/credentials.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:05 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /cdp_api_key.json	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /cdp_api_key.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /cdp_api_key.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /cdp_api_key.json Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /cdp_api_key.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /cdp_api_key.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /cdp_api_key.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "89445e7a630dbf79c7d860741e6b00d79601f5e5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.370954078098928, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "031304dc8f43194299bdcc177d2d09727b02d177", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "b8075410d325212d3eca0e66266fd1e2", "path_pattern_hash": "d5e29afe6c443319602b7904511fc8de" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/cdp_api_key.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "request_sample": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/cdp_api_key.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "request_sample": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3fac358e7ef1a7b786e45d959e2023fe2f5d6077", "protocol_details": { "http_method": "GET", "http_path": "\/cdp_api_key.json", "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cdp_api_key.json", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/cdp_api_key.json", "request_line": "GET \/cdp_api_key.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cdp_api_key.json", "evidence_snippet": "GET \/cdp_api_key.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:05 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /app.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /app.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /app.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "3c179370f0c2d0a7e227f65dd60b7b4aa8a5177f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.3266452019732435, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "a326b3dcf1932020382bc83b5d1eaecf35de8619", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "13fe77ea49cd0cc2b23c8074bdc747d6", "path_pattern_hash": "d5e8a067e9f2ac7b37dd1c869137e3f0" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.js HTTP\/1.1", "request_sample": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.js HTTP\/1.1", "request_sample": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f8ca2e3f68a60883a08aa55d46c6e3ede8ee068b", "protocol_details": { "http_method": "GET", "http_path": "\/app.js", "request_line": "GET \/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.js", "request_line": "GET \/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.js", "evidence_snippet": "GET \/app.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:04 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /config.json	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /config.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path Cible HTTP GET /config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 53 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux Http Sensitive pat-0247 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /config.json Ligne de requête `GET /config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /config.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "110dc2bb220538a9df6ea13fd8474a5056c773dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.324660605776099, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9d5af7f7c060919d8ea8fcebb9283bd51b87e578", "event_fingerprint": "388424770e6dd89e62e6acbb0df2153321581e8b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 182, "precision_signals": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0247" ], "matched_pattern_names": [ "Probe \/config.json" ], "pattern_ids": [ "pat-0247" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 53 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "0f34d9a47c6cd0ed7a653865845c9ce3", "path_pattern_hash": "b2ebf86a95e6e198c8d34ea73388c4ce" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8af22368cbe54dc9bb807cea357874aa6448c007", "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 53 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "pat-0247", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:04 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /settings.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /settings.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /settings.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /settings.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /settings.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "600a07472be074279f73e485903b746a3072d617", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.318877596821444, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "cb3ba79a563fe5337e6227cfdaa52f2868a7e59f", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "f8dbb57f3ad36a1f76afac30c7124b48", "path_pattern_hash": "1bfd7de8f2b794aaf55add02ed38d00c" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/settings.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.js HTTP\/1.1", "request_sample": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/settings.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.js HTTP\/1.1", "request_sample": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b242a10b2731c301d83cd69766ac0376744beb48", "protocol_details": { "http_method": "GET", "http_path": "\/settings.js", "request_line": "GET \/settings.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.js", "request_line": "GET \/settings.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.js", "evidence_snippet": "GET \/settings.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:04 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /settings.json	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /settings.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /settings.json Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /settings.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "bf7030628c229b3e041c7e1c251921a9918e64a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.313182215115718, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0d650033cbcd8738716c52bff5bb6d2ce6f67dc4", "event_fingerprint": "4e19e70ae40c5e9e29371119c99fd76e9c90fae3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "0d2e3626a624dda1933c6ca7b418c5e2", "path_pattern_hash": "77c44ac5d0e9de12fccd3bb6237f7ba5" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8ae10477d29ebfbf99c891418e174dbaa9a68cab", "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:04 UTC	TCP	4200 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:4200 · (tentative d'exploit) · → /secrets.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /secrets.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_k8s_probe Cible HTTP GET /secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /secrets.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /secrets.json HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "9906f032745691753325e07cb911e68c17846b5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.30670092224666, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "14caf730c5dc400bc1bdd31b2900c53a8039014e", "event_fingerprint": "0577bfd59db14b690a15f17e8097d5c77bf55328", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "06399bf904395876e9ec5fa0c92d7c34", "path_pattern_hash": "1abd330c58113f23df400bb25a78bd81" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/secrets.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/secrets.json HTTP\/1.1", "request_sample": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7455233193aab7745c7f55aa1fef300bb22ecb54", "protocol_details": { "http_method": "GET", "http_path": "\/secrets.json", "request_line": "GET \/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.json", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 82, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/secrets.json", "request_line": "GET \/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/secrets.json", "evidence_snippet": "GET \/secrets.json HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_k8s_probe" ], "asn_dc_heuristic": true }
15/06/2026 21:26:03 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /docker-compose.dev.yml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.dev.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /docker-compose.dev.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /docker-compose.dev.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.dev.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.dev.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl Requête brute (extrait) GET /docker-compose.dev.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "7ee3e2436a44816af2348c3ec543a3fd946c2f9e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.349742178959397, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "104a370b95653e6cde8dd8aa9097b712c9eb35b3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "44030bcea0c50376b2cc002fa526c1ef", "path_pattern_hash": "44551548ed702b85048d052da6b4f350" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "method": "GET", "path": "\/docker-compose.dev.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "evidence": { "method": "GET", "path": "\/docker-compose.dev.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "430b496c8f68d3a3b8cfe7489b377ac7ae841a75", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.dev.yml", "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.dev.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.dev.yml", "request_line": "GET \/docker-compose.dev.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.dev.yml", "evidence_snippet": "GET \/docker-compose.dev.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Appl", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:03 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /docker-compose.prod.yml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.prod.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /docker-compose.prod.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /docker-compose.prod.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.prod.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.prod.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) GET /docker-compose.prod.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "e0f4d8c475ba7860adfbc6fce1ef729836b642b1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.335166023510458, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "4475fa19e9a81cea0e977e41f8088b2d436829ac", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "236844e78bc8be1d2e2bd387032ce934", "path_pattern_hash": "34e7c48d3a24d0769f43576d3e67ea74" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "GET", "path": "\/docker-compose.prod.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "GET", "path": "\/docker-compose.prod.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1e5b02928ace61f67b9eabc9cbac64e14b93f42", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.prod.yml", "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.prod.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.prod.yml", "request_line": "GET \/docker-compose.prod.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.prod.yml", "evidence_snippet": "GET \/docker-compose.prod.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:03 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /config.js	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /config.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /config.js Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /config.js HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "67b3179b286c960b4be84ff433764afe1a997eeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.331431302831642, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "db6c48cbcc19a7b1866469ab013d75b2f3e303b0", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "fad831bf995db33ae8e1a43fcc921819", "path_pattern_hash": "0ad09149f0572f6cdaf5a224970ea0d2" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1dbc75fc1928d5d1b830a4ee91dba710c5893da0", "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 21:26:02 UTC	TCP	4200 · HTTP	http	Scan vulnérabilités scanner vuln · via HTTP:4200 · (sonde / probe) · → /docker-compose.yml	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /docker-compose.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /docker-compose.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /docker-compose.yml Service HTTP Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 46 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0251 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Probe /docker-compose.yml Ligne de requête `GET /docker-compose.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb Requête brute (extrait) GET /docker-compose.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "284ed5c0f139fefe102f54c41fbd64a2a9a5ffd9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.338088254719792, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "dcb2ea1a82ce7235d6e03a61ed5075df44e031fe", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "pat-0251" ], "kb_rule_ids": [ "pat-0251" ], "matched_patterns": [ "pat-0251" ], "matched_pattern_names": [ "Probe \/docker-compose.yml" ], "pattern_ids": [ "pat-0251" ], "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "http", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "d46fb2b8dba4ab29413d4dae8fd1ab0b", "path_pattern_hash": "96d32e90d2f8019607590c30e27c0bff" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "evidence": { "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b555af811727f3350ac2642c2cf9fa9e899c1fa", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "attack_vector": "scanner vuln \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/docker-compose.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 46, "confidence_breakdown": { "waf": 60, "classification": 52, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "pat-0251" ], "tags_summary_labels_fr": [ "pat-0251" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "scanner vuln \u00b7 via HTTP:4200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/docker-compose.yml", "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWeb", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:02 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /docker-compose.yaml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.yaml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /docker-compose.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /docker-compose.yaml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe Requête brute (extrait) GET /docker-compose.yaml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "3bbb8fd589a1c6561445293d25ec31c27a2956aa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.337916338537918, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "7c0cb0c696ee6df192f538726ada318f8fcc2180", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "434c671b1a44b3991e2be880aa6133a9", "path_pattern_hash": "d91024f4d52a5546d3cddb98775be9d6" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "method": "GET", "path": "\/docker-compose.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "request_sample": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "evidence": { "method": "GET", "path": "\/docker-compose.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "request_sample": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd63a3d7775b40356c78ce4599c20bb1a349e702", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yaml", "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yaml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yaml", "request_line": "GET \/docker-compose.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yaml", "evidence_snippet": "GET \/docker-compose.yaml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:02 UTC	TCP	4200 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4200 · (tentative d'exploit) · → /docker-compose.override.yml	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /docker-compose.override.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /docker-compose.override.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /docker-compose.override.yml Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /docker-compose.override.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.override.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Requête brute (extrait) GET /docker-compose.override.yml HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "d8b1323b6ef8c906588c7bebedb55eb8820ae5d1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.338326955968602, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "af8b52afa1c558d2261f681d6ada5b2270e02fc7", "event_fingerprint": "003a19105916c2f3a0666af3685d15723472366e", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "6d2d71b7c9d69b09c270f7b57a4872c3", "path_pattern_hash": "eaee3b34be9f0e8721a1e0c8de81e82c" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "method": "GET", "path": "\/docker-compose.override.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "evidence": { "method": "GET", "path": "\/docker-compose.override.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9eb77ce2ada2a914b01090d44d6c8c98ea533377", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.override.yml", "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.override.yml", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.override.yml", "request_line": "GET \/docker-compose.override.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.override.yml", "evidence_snippet": "GET \/docker-compose.override.yml HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
15/06/2026 21:26:02 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /var/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /var/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /var/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /var/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /var/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /var/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /var/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "7f1fb2a1c5b72e520b988cd8c8a970a6662732b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.324148296782349, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "795e734bfe2cec97a1b40c7445ecc363c0c72ec6", "event_fingerprint": "30ba6572adefb2062f42eb7cb3c97fd8f849d4b8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "0963e1308189cfd3a5158be899a68a3b", "path_pattern_hash": "0d0f9087dce4407a1a8d5052b0a9d1bf" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/var\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/var\/.env HTTP\/1.1", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eed71b696d302ad959f61b6b151ead54dd041aa2", "protocol_details": { "http_method": "GET", "http_path": "\/var\/.env", "request_line": "GET \/var\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/var\/.env", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/var\/.env", "request_line": "GET \/var\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/var\/.env", "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:01 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /web/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /web/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /web/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /web/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /web/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /web/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /web/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "47bcdedb3b954688023f733564a003e944c34a32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.325019388161393, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "795e734bfe2cec97a1b40c7445ecc363c0c72ec6", "event_fingerprint": "6c7c5636952c6b52c3ca9055e866e6305dfd71d4", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "5871eee06490f25edab47a9762e6e58c", "path_pattern_hash": "d80a28198e7c3b2ce080248f274b9024" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab810a7e5c5d7b1bff98b3d78b51a3fd8596fd50", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
15/06/2026 21:26:01 UTC	TCP	4200 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:4200 · (tentative d'exploit) · → /public/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /public/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /public/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4200 Chemin / cible /public/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /public/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /public/.env HTTP/1.1 connection: close accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 host: 62.3.50.33:4200 Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "44d3c8b849357a6a84abd560467256ebced73ec0", "http_host_hash": "202dfa5994cddfa4461947e8f26132d28ea51d2e", "http_target_hash": "bc9ca66c038b10c68f8dffc886361c52fc1ac680", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.328723799744746, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 14618, "country": "US", "dst_port": 4200, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "795e734bfe2cec97a1b40c7445ecc363c0c72ec6", "event_fingerprint": "0cb85137c38626d7d4c13765507d9ac396147feb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "544610c250911ce605588efb3a938aed", "payload_hash": "54174dbb28936e75ad9362025f2faab6", "path_pattern_hash": "6cf746da949d58c839550a31197db646" }, "target_context": { "dst_port": 4200, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nhost: 62.3.50.33:4200\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a895c51eee18a9c2aa840c304c2b445b1a50d0eb", "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4200, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "port": 4200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:4200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nconnection: close\r\naccept: \/\r\nuser-agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "4200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }

13.217.95.0

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence