Renseignement sur les menaces

Corée du Sud

15.165.33.253

FAI Amazon.com, Inc. Première vue 17/06/2026 23:15 UTC Dernière vue 17/06/2026 23:15 UTC Risque Élevé

Période analysée : 2026-05-19 → 2026-06-18

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via CPANEL WHM — multi-protocole (9 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 66/100 Élevé

Première observation 17/06/2026 23:15 UTC

Dernière observation 17/06/2026 23:15 UTC

Événements (période) 51

MITRE ATT&CK principal T1046 46 occurrences

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via CPANEL WHM — multi-protocole (9 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +14

Comparaison ASN / FAI

ASN 16509 · 15.164.0.0/15 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 51 événements sur la période pour cette IP.

3.22.57.96 Sonde SIP/VoIP 18/06/2026 20:33 UTC
54.161.68.68 Tentative d'exploit 18/06/2026 20:30 UTC
65.1.138.190 Sonde RDP 18/06/2026 20:29 UTC
18.218.97.223 Sonde PostgreSQL 18/06/2026 20:22 UTC
98.80.4.106 Sonde Squid proxy 18/06/2026 20:20 UTC
18.97.19.139 Sonde SSH 18/06/2026 20:08 UTC
16.58.56.214 Sonde PostgreSQL 18/06/2026 19:59 UTC
3.130.168.2 Sonde PostgreSQL 18/06/2026 19:06 UTC

Événements (filtres)

Première observation

17/06/2026 23:15 UTC

Dernière observation

17/06/2026 23:15 UTC

Dernière activité (filtres)

17/06/2026 23:15 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 40 CPANEL WHM TCP 4 CPANEL TCP 1 CPANEL SSL TCP 1

HTTP

CPANEL WHM

CPANEL

CPANEL SSL

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Amazon.com, Inc. 0 Port 2078 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via CPANEL WHM:2087 · (reconnaissance)

Détails protocole

Aperçu payload

��Fn�QN�)f�g��9U<�o�7�� 4��0倫��ްD��4�U��T�K��"�+�/�,�0̨̩� �� [ �

Port / service

2087 · CPANEL WHM

Service émulé

CPANEL-WHM

Raison confiance

Confiance 100 % — 4 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +14

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

51 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

51 événement(s) — page 2/2

Horodatage Proto Port Service Classification Sévérité Risque Actions

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 23:15:29 UTC	TCP	2082 · HTTP	http	Scan de ports port scan syn · via HTTP:2082 · (reconnaissance) · → /.git/HEAD	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/HEAD UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/HEAD TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2082 Chemin / cible /.git/HEAD Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET .git HEAD Probe /.git/HEAD Ligne de requête `GET /.git/HEAD HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/head", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b", "http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.388143981037492, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "KR", "dst_port": 2082, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "410d66348337b09f86363695133ec94867098ecf", "event_fingerprint": "7ed8cfcfbc9a01ca5eb2646636f688e51c0eb129", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0749", "pat-0197" ], "matched_pattern_names": [ "ET .git HEAD", "Probe \/.git\/HEAD" ], "pattern_ids": [ "pat-0749", "pat-0197" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "6255c130d5c78368773f334adf5de0bf", "path_pattern_hash": "353579f4025217f1143d65b4213aaffa" }, "target_context": { "dst_port": 2082, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1c7b657b0ecc7e4f4b08888d434803c8533eabfd", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2082, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "target_port_label": "2082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (9 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2082, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2082, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 2077, 2078, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 80, "multi_protocol_correlation": true, "multi_protocol_count": 9, "multi_protocol_sample": [ "cpanel", "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }

17/06/2026 23:15:29 UTC

TCP

2082 · HTTP

http

Scan de ports port scan syn · via HTTP:2082 · (reconnaissance) · → /.git/HEAD

Élevée

Élevé · 65

Étape Reconnaissance

Chaîne Reconnaissance

Persona mail.sensor-1.internal

Rôle capteur Renseignement menaces

Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min)

MITRE T1046 TA0043

Protocole GET /.git/HEAD UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…

Émulateur HTTP

WAF 27

Recommandation Investiguer

Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0

Cible HTTP GET /.git/HEAD

TLS SNI —

Capteur paris-1

Preuve / Evidence

Méthode GET

Port 2082

Chemin / cible /.git/HEAD

Service HTTP

Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%

Confiance classification 100% Corrélation +18

Risque capteur Élevé · 65

Confiance : Confiance 100 % — 4 tag(s) WAF

Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Technique MITRE T1046

Tactiques MITRE TA0043

Motifs de détection (base) ET .git HEAD Probe /.git/HEAD

Ligne de requête

GET /.git/HEAD HTTP/1.1

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Règles WAF rce-0 nosqli-3 leak-0

Payload (extrait)

GET /.git/HEAD HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,

Requête brute (extrait)

GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip

Meta JSON brut

{
    "protocol_emulated": true,
    "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
    "emulator_response_len": 125,
    "http_header_count": 4,
    "http_query_params": 0,
    "http_path_depth": 2,
    "http_path_ext": "git\/head",
    "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54",
    "http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
    "http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952",
    "http_referer_hash": null,
    "http_method": "GET",
    "http_ua_is_cli": false,
    "http_ua_is_browser": true,
    "bytes_in": 217,
    "payload_entropy": 5.388143981037492,
    "port_category": "registered",
    "org": "Amazon.com, Inc.",
    "service": "http",
    "app_proto": "http",
    "asn": 16509,
    "country": "KR",
    "dst_port": 2082,
    "risk_waf": 100,
    "risk_classification": 64,
    "risk_behavior": 0,
    "risk_geo": 40,
    "risk_protocol": 43,
    "risk_novelty": 25,
    "risk_boost": 0,
    "risk_granularity": 3.8,
    "risk_breakdown": {
        "waf": 100,
        "classification": 64,
        "behavior": 0,
        "geo": 40,
        "protocol": 43,
        "novelty": 25
    },
    "risk_score": 65,
    "tag_count": 9,
    "anomaly_count": 0,
    "campaign_key": "410d66348337b09f86363695133ec94867098ecf",
    "event_fingerprint": "7ed8cfcfbc9a01ca5eb2646636f688e51c0eb129",
    "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
    "confidence": 1,
    "classification_confidence": 1,
    "precision_score": 293,
    "precision_signals": [
        "MITRE-T1046",
        "SIGMA-net-port-scan",
        "INT-beh-scan-burst",
        "INT-beh-multi-port-60s"
    ],
    "kb_rule_ids": [
        "MITRE-T1046",
        "SIGMA-net-port-scan",
        "INT-beh-scan-burst",
        "INT-beh-multi-port-60s"
    ],
    "matched_patterns": [
        "pat-0749",
        "pat-0197"
    ],
    "matched_pattern_names": [
        "ET .git HEAD",
        "Probe \/.git\/HEAD"
    ],
    "pattern_ids": [
        "pat-0749",
        "pat-0197"
    ],
    "confidence_breakdown": {
        "waf": 100,
        "classification": 64,
        "behavior": 0,
        "geo": 40,
        "protocol": 43,
        "novelty": 25,
        "risk_score": 65,
        "correlation_boost": 18
    },
    "named_classification_skipped": false,
    "service_name": "http",
    "risk_confidence_factor": 100,
    "city": null,
    "is_datacenter": true,
    "is_tor_hint": false,
    "geo": {
        "country": "KR",
        "asn": 16509,
        "org": "Amazon.com, Inc.",
        "is_datacenter": true,
        "is_tor_hint": false
    },
    "fingerprint": {
        "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5",
        "payload_hash": "6255c130d5c78368773f334adf5de0bf",
        "path_pattern_hash": "353579f4025217f1143d65b4213aaffa"
    },
    "target_context": {
        "dst_port": 2082,
        "service": "http",
        "service_name": "http",
        "risk_score": 65
    },
    "payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,",
    "method": "GET",
    "path": "\/.git\/HEAD",
    "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36",
    "waf_tags": [
        "950326:rce-0",
        "950468:nosqli-3",
        "950470:nosqli-3",
        "950513:leak-0"
    ],
    "waf_rule_names": [
        "rce-0",
        "nosqli-3",
        "leak-0"
    ],
    "request_line": "GET \/.git\/HEAD HTTP\/1.1",
    "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
    "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,",
    "evidence": {
        "method": "GET",
        "path": "\/.git\/HEAD",
        "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36",
        "waf_tags": [
            "950326:rce-0",
            "950468:nosqli-3",
            "950470:nosqli-3",
            "950513:leak-0"
        ],
        "waf_rule_names": [
            "rce-0",
            "nosqli-3",
            "leak-0"
        ],
        "request_line": "GET \/.git\/HEAD HTTP\/1.1",
        "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
        "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,",
        "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
    },
    "attack_stage": "recon",
    "mitre_tactics": [
        "TA0043"
    ],
    "mitre_techniques": [
        "T1046"
    ],
    "mitre": "T1046",
    "threat_family": [
        "scanner"
    ],
    "recommended_client_action": "investigate",
    "policy_mode": "intelligence",
    "sensor_role": "threat_intelligence",
    "event_signature": "1c7b657b0ecc7e4f4b08888d434803c8533eabfd",
    "protocol_details": {
        "http_method": "GET",
        "http_path": "\/.git\/HEAD",
        "request_line": "GET \/.git\/HEAD HTTP\/1.1",
        "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36",
        "port": 2082,
        "service": "http",
        "service_label_fr": "HTTP"
    },
    "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,",
    "attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
    "target_port_label": "2082 \u00b7 HTTP",
    "emulator_service": "http",
    "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
    "site_display": {
        "classification": null,
        "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
        "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
        "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (9 protocoles \u00b7 5 min)",
        "confidence_pct": 100,
        "confidence_breakdown": {
            "waf": 100,
            "classification": 64,
            "behavior": 0,
            "geo": 40,
            "protocol": 43,
            "novelty": 25,
            "risk_score": 65,
            "correlation_boost": 18
        },
        "attack_stage": "recon",
        "attack_stage_label": "Reconnaissance",
        "attack_chain_stage": "reconnaissance",
        "attack_chain_stage_label_fr": "Reconnaissance",
        "risk_score": 65,
        "risk_label": "\u00c9lev\u00e9",
        "service_name": "http",
        "service_label_fr": "HTTP",
        "dst_port": 2082,
        "protocol_emulated": true,
        "tags_summary": [
            "MITRE-T1046",
            "SIGMA-net-port-scan",
            "INT-beh-scan-burst",
            "INT-beh-multi-port-60s"
        ],
        "tags_summary_labels_fr": [
            "MITRE-T1046",
            "SIGMA-net-port-scan",
            "Beh Scan Burst",
            "Beh Multi Port 60S"
        ],
        "recommended_action": "investigate",
        "recommended_action_label": "Investiguer",
        "mitre": "T1046",
        "mitre_technique": "T1046",
        "persona_hostname": "mail.sensor-1.internal",
        "persona_service_banner": "honeypot-http",
        "correlation_flags": [
            "scan_rapide",
            "campagne_ports",
            "multi_protocol_correlation"
        ],
        "correlation_flags_labels_fr": [
            "Scan rapide multi-ports",
            "Campagne multi-ports",
            "Multi-protocole corr\u00e9l\u00e9 (5 min)"
        ],
        "sensor_role": "threat_intelligence",
        "sensor_role_label_fr": "Renseignement menaces",
        "confidence_hint_fr": "Corr\u00e9lation +18",
        "protocol_details": {
            "http_method": "GET",
            "http_path": "\/.git\/HEAD",
            "request_line": "GET \/.git\/HEAD HTTP\/1.1",
            "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36",
            "port": 2082,
            "service": "http",
            "service_label_fr": "HTTP"
        },
        "attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
        "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,",
        "target_port_label": "2082 \u00b7 HTTP",
        "emulator_service": "http",
        "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
        "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF",
        "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
        "attack_phases_timeline_fr": [
            {
                "key": "recon",
                "label_fr": "Reconnaissance",
                "active": true,
                "kind": "stage"
            },
            {
                "key": "probe",
                "label_fr": "Sonde \/ probe",
                "active": false,
                "kind": "stage"
            },
            {
                "key": "exploit_attempt",
                "label_fr": "Tentative d'exploit",
                "active": false,
                "kind": "stage"
            },
            {
                "key": "post_exploit",
                "label_fr": "Post-exploitation",
                "active": false,
                "kind": "stage"
            },
            {
                "key": "c2",
                "label_fr": "Commande & contr\u00f4le",
                "active": false,
                "kind": "stage"
            },
            {
                "key": "reconnaissance",
                "label_fr": "Reconnaissance",
                "active": true,
                "kind": "chain",
                "hint_fr": null
            }
        ]
    },
    "honeypot_persona": {
        "sensor_id": "sensor-1",
        "hostname": "mail.sensor-1.internal",
        "mail_host": "mail.sensor-1.internal",
        "ldap_dc": "dc.sensor-1.internal",
        "k8s_cluster": "hp-sensor-1",
        "domain": "sensor-1.internal",
        "service_role": "http",
        "service_banner": "honeypot-http",
        "service_os": "linux",
        "dst_port": "2082"
    },
    "hostname": "mail.sensor-1.internal",
    "sensor_id": "sensor-1",
    "port_scan_campaign": true,
    "port_scan_distinct_ports": 8,
    "port_scan_ports_sample": [
        2077,
        2078,
        2082,
        2083,
        2086,
        2087,
        2095,
        2096
    ],
    "rapid_port_scan": true,
    "rapid_scan_distinct_ports": 8,
    "scan_velocity_ports_per_s": 80,
    "multi_protocol_correlation": true,
    "multi_protocol_count": 9,
    "multi_protocol_sample": [
        "cpanel",
        "cpanel-ssl",
        "cpanel-whm",
        "http",
        "port:2077",
        "port:2078",
        "port:2086",
        "port:2095"
    ],
    "multi_protocol_window_s": 300,
    "behavior_alerts": [
        "port_scan_campaign",
        "rapid_port_scan",
        "multi_protocol_correlation"
    ],
    "correlation_confidence_boost": 18,
    "attack_chain_stage": "reconnaissance",
    "ban_policy": "advisory_investigate",
    "tags_list": [
        "950326:rce-0",
        "950468:nosqli-3",
        "950470:nosqli-3",
        "950513:leak-0",
        "http_backup_file_scan",
        "http_git_exposure",
        "http_probe_git",
        "http_sensitive_path",
        "net_web_probe"
    ],
    "asn_dc_heuristic": true
}

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

15.165.33.253

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

15.165.33.253

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence