Renseignement sur les menaces

Thaïlande

152.32.245.27

FAI UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED Première vue 06/01/2026 00:56 UTC Dernière vue 17/06/2026 04:30 UTC Risque Critique

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte · risque 35/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 87/100 Critique

Première observation 06/01/2026 00:56 UTC

Dernière observation 17/06/2026 04:30 UTC

Événements (période) 191

MITRE ATT&CK principal TA0007 87 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Connexion SAP Diag/GUI · confiance 50%

Confiance 50 % — Score WAF 8

Comparaison ASN / FAI

ASN 135377 · 152.32.245.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 191 événements sur la période pour cette IP.

118.194.248.142 Sonde PostgreSQL 17/06/2026 06:19 UTC
118.193.36.63 Tentative d'exploit 17/06/2026 06:11 UTC
165.154.172.37 Sonde port 17/06/2026 06:10 UTC
123.58.213.118 Sonde port 17/06/2026 06:09 UTC
118.193.43.141 Tentative d'exploit 17/06/2026 05:56 UTC
118.194.250.22 Tentative d'exploit 17/06/2026 05:56 UTC
118.194.251.75 Sonde port 17/06/2026 05:55 UTC
128.1.44.38 Sonde port 17/06/2026 05:55 UTC

Événements (filtres)

191

Première observation

06/01/2026 00:56 UTC

Dernière observation

17/06/2026 04:30 UTC

Dernière activité (filtres)

17/06/2026 04:30 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

SAP Diag TCP 73 TLS TCP 52 HTTP TCP 22

SAP Diag

TLS

HTTP

Géolocalisation

Origine réseau déclarée

Thaïlande unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 592 Port 3201 sap_diag_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)

Détails protocole

Aperçu payload

CNXN2��host::

Port / service

3201 · SAP Diag

Service émulé

SAP-DIAG

Raison confiance

Confiance 50 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0554

Confiance

50% Confiance modérée — signal unique

Famille de menace

sap_probe

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

191 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

191 événement(s) — page 1/4

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 04:30:18 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload CNXN2��host:: Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) CNXN2��host:: Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 31, "payload_entropy": 3.3729205036561045, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ab0510cc4156c41c24112bc2a720db2", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "evidence": { "request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eed71bb965cae94a2a3066ca4ef3ccb3e11b2bc8", "protocol_details": { "payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "CNXN2\ufffd\ufffd\ufffd\ufffdhost::", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "CNXN2\ufffd\ufffd\ufffd\ufffdhost::", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:15 UTC	TCP	3201 · SAP Diag	sap-diag	mqtt probe mqtt probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags mqtt_connect net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload MQTTnmap Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0373 pat-0615 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol UA nmap Sigma nmap UA MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTTnmap Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 18, "payload_entropy": 3.4193819456463714, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "65207138bd29b104f8c9cb4144f13ca817f98957", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0373", "pat-0615" ], "kb_rule_ids": [ "pat-0373", "pat-0615" ], "matched_patterns": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "UA nmap", "Sigma nmap UA", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad60b419f2f0103bea99389955f5bdf8", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 49 }, "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "evidence": { "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e920948f3b35ca3bfc066922c9faf67db46dd73c", "protocol_details": { "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "MQTTnmap", "attack_vector": "mqtt probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 97%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0373", "pat-0615" ], "tags_summary_labels_fr": [ "pat-0373", "pat-0615" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mqtt probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "MQTTnmap", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_connect", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:12 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde WebSphere websphere probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload GIOP$abcdefget Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0605 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) GIOP WebSphere IIOP Mumble ping STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) GIOP$abcdefget Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 48, "payload_entropy": 2.5723387961875535, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0605" ], "kb_rule_ids": [ "pat-0605" ], "matched_patterns": [ "pat-0605", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "GIOP WebSphere IIOP", "Mumble ping", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0605", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a2295e3d24182f08220a2dae2c40ff1c", "path_pattern_hash": "a8ef247ba3612b90c1c670387b185e85" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 45 }, "payload_preview": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "request_sample": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan", "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97d9de00970cd1d05179a3de50770b12b45ae3d9", "protocol_details": { "payload_preview": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "GIOP$abcdefget", "attack_vector": "websphere probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0605" ], "tags_summary_labels_fr": [ "pat-0605" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "websphere probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "GIOP$abcdefget", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:09 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload � Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 2, "payload_entropy": 1, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4b24f4cca7e61459da3fb7bee3042b66", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 24 }, "payload_preview": "\ufffd\u0001", "request_sample": "\ufffd\u0001", "payload_snippet": "\ufffd\u0001", "evidence": { "request_sample": "\ufffd\u0001", "payload_snippet": "\ufffd\u0001", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d807d2e510bcd322b8476c45627ab5f33edd727", "protocol_details": { "payload_preview": "\ufffd\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:06 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 1 $4 info Pourquoi cette classification :* Connexion SAP Diag/GUI · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis INFO User-Agent — Règles WAF — Payload (extrait) 1 $4 info Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0411" ], "matched_pattern_names": [ "Redis INFO" ], "pattern_ids": [ "pat-0411" ], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4f9ff4b8ec8624803229b3cea88426af", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 24 }, "payload_preview": "1\r\n$4\r\ninfo\r\n", "request_sample": "1\r\n$4\r\ninfo\r\n", "payload_snippet": "1\r\n$4\r\ninfo", "evidence": { "request_sample": "1\r\n$4\r\ninfo\r\n", "payload_snippet": "1\r\n$4\r\ninfo", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dbbc5e2edbb6135a07a18ec18e8aea92e55256a5", "protocol_details": { "payload_preview": "1\r\n$4\r\ninfo", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "1\r\n$4\r\ninfo", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "1\r\n$4\r\ninfo", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "1\r\n$4\r\ninfo", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:03 UTC	TCP	3201 · SAP Diag	sap-diag	Protocole TDS MSSQL mssql tds · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload A:0��test.$cmd��serverStatus�? Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0356 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) A:0��test.$cmd��serverStatus�? Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 65, "payload_entropy": 3.3778795428324466, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 32, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0356", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0356", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bf7469d78bb1798d5188209f4494c1a3", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 32 }, "payload_preview": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "request_sample": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "evidence": { "request_sample": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa365f3a94a1333ae6967008fd762ee20bbde053", "protocol_details": { "payload_preview": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "A:0\ufffd\ufffd\ufffd\ufffd\ufffdtest.$cmd\ufffd\ufffd\ufffd\ufffdserverStatus\ufffd?", "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0356" ], "tags_summary_labels_fr": [ "pat-0356" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "A:0\ufffd\ufffd\ufffd\ufffd\ufffdtest.$cmd\ufffd\ufffd\ufffd\ufffdserverStatus\ufffd?", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:30:01 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0532 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 18, "payload_entropy": 1.2086489509530647, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0532" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "817773a4a3987fc7642ff30928d792fc", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "request_sample": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "payload_snippet": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "evidence": { "request_sample": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "payload_snippet": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b6e0bbcc7585f6c1a919ff4eea5bf878e8e8778", "protocol_details": { "payload_preview": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0532" ], "tags_summary_labels_fr": [ "pat-0532" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:58 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde port 3201/TCP port 3201 tcp · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags db2_probe net_db2_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Preuve honeypot — Sonde port 3201/TCP Connexion détectée sur le port 3201 (TCP) du capteur simulé. Service SAP Diag Payload ��SQLDB2RA�� @ @@@@@@@ Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup NFS RPC mount RADIUS Access-Request STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��SQLDB2RA�� @ @@@@@@@ Requête brute (extrait) ��SQLDB2RA�� @ @@@@@@@@@@��@@�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 450, "payload_entropy": 1.82286057779224, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "83d4268d6e22fda7f29ee13e5a99bd607b75abcf", "event_fingerprint": "bad93b32e0de94f5d7816836abdb3a70d32cf6e2", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0532", "pat-0577", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "NFS RPC mount", "RADIUS Access-Request", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0532", "pat-0577", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "eceedace3cdd6b7c3a4b6f3b21c20f1b", "path_pattern_hash": "d7ff08bc99242d43066c57637f7c90cc" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 42 }, "payload_snippet": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0002\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0003\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd", "payload_snippet": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d598aee1c1a25c0aa86d92ee661665118546eae2", "protocol_details": { "payload_preview": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffdSQLDB2RA\ufffd\ufffd\t@\t@@@@@@@", "attack_vector": "port 3201 tcp \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "port 3201 tcp \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdSQLDB2RA\ufffd\ufffd\t@\t@@@@@@@", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "db2_probe", "net_db2_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:55 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde Memcached memcached probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Investiguer Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload stats Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0374 pat-0533 pat-0865 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Memcached stats Memcached stats ET Memcached UDP User-Agent — Règles WAF — Payload (extrait) stats Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 7, "payload_entropy": 2.2359263506290326, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 164, "precision_signals": [ "pat-0374", "pat-0533", "pat-0865" ], "kb_rule_ids": [ "pat-0374", "pat-0533", "pat-0865" ], "matched_patterns": [ "pat-0374", "pat-0533", "pat-0865" ], "matched_pattern_names": [ "Memcached stats", "Memcached stats", "ET Memcached UDP" ], "pattern_ids": [ "pat-0374", "pat-0533", "pat-0865" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11e629574907d3a9ced402e26f4a98df", "path_pattern_hash": "549d36783f9e3c43618e715d78a40b3b" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 50 }, "payload_preview": "stats\r\n", "request_sample": "stats\r\n", "payload_snippet": "stats", "evidence": { "request_sample": "stats\r\n", "payload_snippet": "stats", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dcb40c975924d1fc20a5fe667edef66492fd3d2c", "protocol_details": { "payload_preview": "stats", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "stats", "attack_vector": "memcached probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via SAP Diag", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0374", "pat-0533", "pat-0865" ], "tags_summary_labels_fr": [ "pat-0374", "pat-0533", "pat-0865" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "stats", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "memcached probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "stats", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:52 UTC	TCP	3201 · SAP Diag	sap-diag	Protocole TDS MSSQL mssql tds · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags mssql_tds net_mssql_tds sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 4 (�UMSSQLServerH Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 95% Confiance classification 95% Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) 4(�UMSSQLServerH Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 52, "payload_entropy": 3.604409845438833, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "521f1fb9063024cc1e53b6fa10e7e0794598916a", "event_fingerprint": "4f8153c5ba9d6f95678f280bf98a35ddcbd67e3c", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "23edc99bdfe5fe902f5ff28aa98ef130", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "385873bd2da9e430963ac94e776cdee8a9478559", "protocol_details": { "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "4(\ufffdUMSSQLServerH", "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "4(\ufffdUMSSQLServerH", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_tds", "net_mssql_tds", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:49 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload root Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) root Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 13, "payload_entropy": 2.7773627950641693, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ac689fe3945f925dedc198278ca29f1ccae0d96e", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2167ce4c1a0201b2283cc57c40a74bac", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "evidence": { "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae6bb11adff4258d3b3fc40e414ed9f0e51aa293", "protocol_details": { "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "root", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "root", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe", "socks4_greeting" ] }
17/06/2026 04:29:46 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload � google.comPGET / HTTP/1.0 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0567 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � google.comPGET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 41, "payload_entropy": 4.503416638553355, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0567" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d345b721f5d98a2b04db9dadef49f152", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "evidence": { "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90bf32c2817fceabe57431b794a13a635186a4ca", "protocol_details": { "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ngoogle.comPGET \/ HTTP\/1.0", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0567" ], "tags_summary_labels_fr": [ "pat-0567" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ngoogle.comPGET \/ HTTP\/1.0", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:43 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload Z6,� :4�(CONNECT_DATA=(COMMAND=version)) Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Z6,� :4�(CONNECT_DATA=(COMMAND=version)) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 90, "payload_entropy": 3.5636982611044665, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ee3f9a4a2b04c32e4d515a179936da49", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "request_sample": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "payload_snippet": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "evidence": { "request_sample": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "payload_snippet": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bc33c287473256bfe9d29d4d4d8850ba2365070", "protocol_details": { "payload_preview": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "Z6,\ufffd :4\ufffd(CONNECT_DATA=(COMMAND=version))", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "Z6,\ufffd :4\ufffd(CONNECT_DATA=(COMMAND=version))", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:40 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde Kafka kafka probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �� MMS�� NSPlayer/9.0.0.2980; {0000AA00-0A00-00a Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0556 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Kafka ApiVersions key RADIUS Access-Request Minecraft varint handshake TFTP RRQ WireGuard handshake User-Agent — Règles WAF — Payload (extrait) ��MMS��NSPlayer/9.0.0.2980; {0000AA00-0A00-00a Requête brute (extrait) �� MMS�� NSPlayer/9.0.0.2980; {0000AA00-0A00-00a0-AA0A-0000A0AA0AA0}�m�_ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 175, "payload_entropy": 3.1019691748828695, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 32, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0556" ], "kb_rule_ids": [ "pat-0556" ], "matched_patterns": [ "pat-0556", "pat-0577", "pat-0554", "pat-0536", "pat-0623" ], "matched_pattern_names": [ "Kafka ApiVersions key", "RADIUS Access-Request", "Minecraft varint handshake", "TFTP RRQ", "WireGuard handshake" ], "pattern_ids": [ "pat-0556", "pat-0577", "pat-0554", "pat-0536", "pat-0623" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f884620dcffbd325c528857bf10be8ac", "path_pattern_hash": "369bfdf011acc5969bcb68a7ffd2ca13" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 32 }, "payload_snippet": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "evidence": { "request_sample": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a\u00000\u0000-\u0000A\u0000A\u00000\u0000A\u0000-\u00000\u00000\u00000\u00000\u0000A\u00000\u0000A\u0000A\u00000\u0000A\u0000A\u00000\u0000}\u0000\u0000\u0000\ufffdm\ufffd_", "payload_snippet": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08d41366d13a37e83b0c922bb3b73db2623d9473", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9.0.0.2980; {0000AA00-0A00-00a", "attack_vector": "kafka probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0556" ], "tags_summary_labels_fr": [ "pat-0556" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "kafka probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9.0.0.2980; {0000AA00-0A00-00a", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
17/06/2026 04:29:37 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde Java RMI java rmi probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload JRMIK Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0604 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Java RMI JRMI User-Agent — Règles WAF — Payload (extrait) JRMIK Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 7, "payload_entropy": 2.807354922057604, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 32, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0604" ], "kb_rule_ids": [ "pat-0604" ], "matched_patterns": [ "pat-0604" ], "matched_pattern_names": [ "Java RMI JRMI" ], "pattern_ids": [ "pat-0604" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d8c49a0f759e2102fb8fa8368049d06a", "path_pattern_hash": "7a566ca86213ccd15a91c0b5a885a24f" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 32 }, "payload_preview": "JRMI\u0000\u0002K", "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "evidence": { "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99cebf498aebc288d2ef7303438ab8eb95941f58", "protocol_details": { "payload_preview": "JRMI\u0000\u0002K", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "JRMIK", "attack_vector": "java rmi probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0604" ], "tags_summary_labels_fr": [ "pat-0604" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "JRMI\u0000\u0002K", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "java rmi probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "JRMIK", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:34 UTC	TCP	3201 · SAP Diag	sap-diag	Protocole wire MongoDB mongodb wire protocol · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags mongodb_wire_protocol net_mongodb_wire_protocol rdp_cookie_alt sap_diag_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload :/@=/@ Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 80% Confiance classification 80% Risque capteur Faible · 33 Confiance : Confiance 80 % — 6 signal(aux) capteur Protocole émulé 1 Signaux ET-PROTO-MongoDB-Wire Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) NFS RPC mount Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) :/@=/@ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 60, "payload_entropy": 1.3389205950315934, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 33, "tag_count": 6, "anomaly_count": 0, "campaign_key": "99e441d68f184f6db31858e84b60fb37280a340a", "event_fingerprint": "5a380603751142246e7c164739937d90d11d6f3b", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 80%", "confidence": 0.8, "classification_confidence": 0.8, "precision_score": 90, "precision_signals": [ "ET-PROTO-MongoDB-Wire", "INT-upstream" ], "kb_rule_ids": [ "ET-PROTO-MongoDB-Wire", "INT-upstream" ], "matched_patterns": [ "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "NFS RPC mount", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 33 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "sap-diag", "risk_confidence_factor": 80, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f60433e5ca098d6d06ab4b829e9f35c4", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 33 }, "payload_preview": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 80%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d11e217eed1e7421c6e447dec6438fecdb28216a", "protocol_details": { "payload_preview": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": ":\/@=\/@", "attack_vector": "mongodb wire protocol \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 80 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 80%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 80%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 80, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "ET-PROTO-MongoDB-Wire", "INT-upstream" ], "tags_summary_labels_fr": [ "ET-PROTO-MongoDB-Wire", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mongodb wire protocol \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": ":\/@=\/@", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 80 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 80 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_wire_protocol", "net_mongodb_wire_protocol", "rdp_cookie_alt", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:31 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload DmdT�� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) DmdT�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 23, "payload_entropy": 2.6081816167087406, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "947f08e762562490af13d3254ff011a6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "request_sample": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "payload_snippet": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "evidence": { "request_sample": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "payload_snippet": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96bcbff064a7c21bd2cc3161b56ce98836a99072", "protocol_details": { "payload_preview": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "DmdT\ufffd\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "DmdT\ufffd\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:28 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde port 3201/TCP port 3201 tcp · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Preuve honeypot — Sonde port 3201/TCP Connexion détectée sur le port 3201 (TCP) du capteur simulé. Service SAP Diag Payload �� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header S7 TPKT packet ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 22, "payload_entropy": 3.133919825058653, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0376", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "S7 TPKT packet", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0376", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "097791b86f9950e021480f7ef5b4d939", "path_pattern_hash": "d7ff08bc99242d43066c57637f7c90cc" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 42 }, "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "evidence": { "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9809a4a490e50b2a42cfff7a1c256e2d54603f71", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd", "attack_vector": "port 3201 tcp \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "port 3201 tcp \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:25 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �t+ Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �t+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 11, "payload_entropy": 2.4040097573248604, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "95bb1798cbe14e09d8a7b5feb33c741f", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "request_sample": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "payload_snippet": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "evidence": { "request_sample": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "payload_snippet": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4eb9445801d9144e7c4a6911dc635873f56433f", "protocol_details": { "payload_preview": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffdt+", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdt+", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:22 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 0.26.00.26.10202cb962ac59075b964b07152d234b70 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0.26.00.26.10202cb962ac59075b964b07152d234b70 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 56, "payload_entropy": 3.7279714939527033, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fca620885715d4e346da0f82d84da595", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "request_sample": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "payload_snippet": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "evidence": { "request_sample": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "payload_snippet": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a39d30741eeaf78b68298a578fe8db20d8634b3", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "0.26.00.26.10202cb962ac59075b964b07152d234b70", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "0.26.00.26.10202cb962ac59075b964b07152d234b70", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:19 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags mongodb_version mongodb_version_2 net_sap_diag_probe sap_diag_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload ){"Type":"Auth","Payload":{"Version":"2"}} Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ){"Type":"Auth","Payload":{"Version":"2"}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 49, "payload_entropy": 4.193778152167447, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 35, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e48054eb3637ad72acc8d2d78aab659ba976f69f", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "493a3d213b080175a70a3be3bdf3d870", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "request_sample": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "payload_snippet": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "evidence": { "request_sample": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "payload_snippet": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5048556aa68e1a132f64472f9efae6b48a0fe95", "protocol_details": { "payload_preview": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "){\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "){\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_version", "mongodb_version_2", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:16 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 12, "payload_entropy": 0.8112781244591328, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89fcddd8e965f8ff958358b927013df6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfe54184c94d8c2f2bfefd8629991c2594ae5ec3", "protocol_details": { "payload_preview": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:13 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde OPC-UA opcua probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload HELF;��opc.tcp://85.214.126.3:4840 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0626 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass OPC UA HEL Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) HELF;��opc.tcp://85.214.126.3:4840 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 59, "payload_entropy": 3.860214023388077, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 40, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0626" ], "kb_rule_ids": [ "pat-0626" ], "matched_patterns": [ "pat-0103", "pat-0626", "pat-0554" ], "matched_pattern_names": [ "LFI Double-dot bypass", "OPC UA HEL", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0103", "pat-0626", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "405e43878bd2caed9a786695e348bf9d", "path_pattern_hash": "9665a326f7d8f70f1661dab78807b951" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 40 }, "payload_preview": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "request_sample": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "payload_snippet": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "evidence": { "request_sample": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "payload_snippet": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2799910e0e55115f843ee5a46833eb5275778881", "protocol_details": { "payload_preview": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "HELF;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/85.214.126.3:4840", "attack_vector": "opcua probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0626" ], "tags_summary_labels_fr": [ "pat-0626" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "opcua probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "HELF;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/85.214.126.3:4840", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:10 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload G�� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) G�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 16, "payload_entropy": 1.6216407621868583, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f49be22988ace8a28a7eea705f9e0c37", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "request_sample": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "payload_snippet": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "evidence": { "request_sample": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "payload_snippet": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1a9c5d34a241fcfda15a8dc15091e8075c152c9", "protocol_details": { "payload_preview": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "G\ufffd\ufffd\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "G\ufffd\ufffd\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:07 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload mi{"code":105,"language":"GO","version":317,"opaque":2,"flag":0,"remark":"","extFields":{"topic":"TBW102"}} Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) mi{"code":105,"language":"GO","version":317,"opaque":2,"flag":0,"remark":"","extFields":{"topic":"TBW102"}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 113, "payload_entropy": 4.641748802606944, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "94179f64d7c7524a23b3cbf2af232c73", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "request_sample": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "payload_snippet": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "evidence": { "request_sample": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "payload_snippet": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c7e8259cc3535568f39c1b89473749588743a2c4", "protocol_details": { "payload_preview": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "mi{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "mi{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:29:04 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 2W2Cwx^j��2J`{"@timestamp":"2023-11-10T16:31:19.3549634+08:00","message":"t","offset":1000,"type":"filebeat"}6 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2W2Cwx^j��2J`{"@timestamp":"2023-11-10T16:31:19.3549634+08:00","message":"t","offset":1000,"type":"filebeat"}6 Requête brute (extrait) 2W2Cwx^j��2J`{"@timestamp":"2023-11-10T16:31:19.3549634+08:00","message":"t","offset":1000,"type":"filebeat"}6� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 131, "payload_entropy": 4.943692969509017, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ac31581d9769a3294f2b8ec05c3e9e6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "request_sample": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006\ufffd\u001b", "payload_snippet": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "evidence": { "request_sample": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006\ufffd\u001b", "payload_snippet": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05a2c138774e0fe271fe9ee6bfbf000f1b962774", "protocol_details": { "payload_preview": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "2W2Cwx^j\ufffd\ufffd2J`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}6", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "2W2Cwx^j\ufffd\ufffd2J`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}6", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
17/06/2026 04:29:01 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload a 4.6.2.3" 8798306680 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) a 4.6.2.3" 8798306680 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 29, "payload_entropy": 4.064203408622266, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a28a90b32f6006a6cfa98505ba373419", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "request_sample": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "payload_snippet": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "evidence": { "request_sample": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "payload_snippet": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40d8c3f43c9feb7a697b1a4e23f4d5f3f800f5bc", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "a\n4.6.2.3\"\t8798306680", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "a\n4.6.2.3\"\t8798306680", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:58 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload ��]I223.75.123.71 IP USER LOGON QWRtaW4= QWRtaW4= 65536 UTF-8 805306367 1 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��]I223.75.123.71 IP USER LOGON QWRtaW4= QWRtaW4= 65536 UTF-8 805306367 1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 93, "payload_entropy": 4.682586603096229, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4d682adf59b1d9e41be709f5ccbc8084", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "request_sample": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "payload_snippet": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "evidence": { "request_sample": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "payload_snippet": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ba1172a2bc3b0adbbadea427a051118c15e9456", "protocol_details": { "payload_preview": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd]I223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd]I223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:55 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �`�� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �`�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 32, "payload_entropy": 1.498778124459133, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "48d1c4bf25ef5b6ad32d76fb795398b9", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "request_sample": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "payload_snippet": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "evidence": { "request_sample": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "payload_snippet": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "597f165b8313b911d8e99586689a0e4b36fdbfa6", "protocol_details": { "payload_preview": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd`\ufffd\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd`\ufffd\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:52 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload EXAMPLE.COM Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) EXAMPLE.COM Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 13, "payload_entropy": 3.3927474104487847, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b95100bea23f1bbc831cc0175ad22cfe", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 24 }, "payload_preview": "EXAMPLE.COM\r\n", "request_sample": "EXAMPLE.COM\r\n", "payload_snippet": "EXAMPLE.COM", "evidence": { "request_sample": "EXAMPLE.COM\r\n", "payload_snippet": "EXAMPLE.COM", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d5723b2cce085093834a11928414f4c2fecde335", "protocol_details": { "payload_preview": "EXAMPLE.COM", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "EXAMPLE.COM", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "EXAMPLE.COM", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "EXAMPLE.COM", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:49 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags cryptominer_probe net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"YOUR_WALLET_ADDRESS","pass":"x","agent":"XMRig/6.20.0-C3Pool","algo" Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"YOUR_WALLET_ADDRESS","pass":"x","agent":"XMRig/6.20.0-C3Pool","algo" Requête brute (extrait) {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"YOUR_WALLET_ADDRESS","pass":"x","agent":"XMRig/6.20.0-C3Pool","algo":["cn/1"],"algo-perf":{"cn/1":63.32038223248976}}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 179, "payload_entropy": 5.098770336543975, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 25 }, "risk_score": 24, "tag_count": 6, "anomaly_count": 0, "campaign_key": "dd7ab97f97ef70b537614455b9e309b0d5d90c62", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 25, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c500383ebccf2fc673ea77e9e47d6daf", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 24 }, "payload_preview": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "request_sample": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\":[\"cn\/1\"],\"algo-perf\":{\"cn\/1\":63.32038223248976}}}\n", "payload_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "evidence": { "request_sample": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\":[\"cn\/1\"],\"algo-perf\":{\"cn\/1\":63.32038223248976}}}\n", "payload_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1de9d4431a21e286b5e7d4482c3b087dd0cde51a", "protocol_details": { "payload_preview": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 25, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cryptominer_probe", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe", "xmrig_pattern" ] }
17/06/2026 04:28:46 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde PostgreSQL postgres probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 100% Confiance classification 100% Risque capteur Moyen · 45 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0368 pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL cancel request PostgreSQL startup Kafka ApiVersions key Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 1.9502120649147467, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0368", "pat-0369" ], "kb_rule_ids": [ "pat-0368", "pat-0369" ], "matched_patterns": [ "pat-0368", "pat-0369", "pat-0556", "pat-0554" ], "matched_pattern_names": [ "PostgreSQL cancel request", "PostgreSQL startup", "Kafka ApiVersions key", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0368", "pat-0369", "pat-0556", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "19214bd9a0c01f9428154f3b658852b6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "request_sample": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a9673bfb37798bdb2bf14ec1bde43712a4c1420", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffd\ufffd", "attack_vector": "postgres probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0368", "pat-0369" ], "tags_summary_labels_fr": [ "pat-0368", "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "postgres probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:43 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �anonymous_command_on Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �anonymous_command_on Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 40, "payload_entropy": 3.2516094970590266, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ade4c3e7a4c503a0785a09ddcef1efb8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b930410da3e926a81b7512e374b3f0e99b1592a", "protocol_details": { "payload_preview": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffdanonymous_command_on", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdanonymous_command_on", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:40 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload #!:62710* fd135ge@&yt_02123456 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) #!:62710* fd135ge@&yt_02123456 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 39, "payload_entropy": 4.6632313853624945, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "268e50c3963f0c6fe6ca87afd0ce66b8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "request_sample": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "payload_snippet": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "evidence": { "request_sample": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "payload_snippet": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "53cf03f3b1b9ce65bb0831df070ecd16c7ee64d5", "protocol_details": { "payload_preview": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "#!:62710\rfd135ge@&yt_02123456", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "#!:62710*\rfd135ge@&yt_02123456", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:37 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �x#.�=��$�'��WE$e�V�>\� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �x#.�=��$�'��WE$e�V�>\� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 43, "payload_entropy": 5.10068335935326, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f4f17bcdc73af477913b79f96989f7d8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "request_sample": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "payload_snippet": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "evidence": { "request_sample": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "payload_snippet": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6758fcdf118fb20dfb95ed5492acd3be270acc31", "protocol_details": { "payload_preview": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffdx#.\ufffd=\ufffd\ufffd\ufffd$\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWE$e\ufffdV\ufffd>\\\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdx#.\ufffd=\ufffd\ufffd\ufffd$\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWE$e\ufffdV\ufffd>\\\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:34 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload �+<M��noneppap Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �+<M��noneppap Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 156, "payload_entropy": 1.0056921668856296, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ca0ed1490012fe941f931322c79c1f4", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "706a5b7db35fa9a6a706c50227362c56ebfe2201", "protocol_details": { "payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd+<M\ufffd\ufffdnoneppap", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd+<M\ufffd\ufffdnoneppap", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:31 UTC	TCP	3201 · SAP Diag	sap-diag	Cross-site scripting xss attack · via SAP Diag:3201 · (tentative d'exploit)	Élevée	Faible · 39
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='ru-RU' to='. Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 59% Confiance classification 59% Risque capteur Faible · 39 Confiance : Confiance 59 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 LFI Double-dot bypass XMPP stream User-Agent — Règles WAF — Payload (extrait) <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='ru-RU' to='. Requête brute (extrait) <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'> Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 144, "payload_entropy": 4.6684321087757565, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 68, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 39, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0103", "pat-0530" ], "matched_pattern_names": [ "CRS 941130", "LFI Double-dot bypass", "XMPP stream" ], "pattern_ids": [ "pat-0284", "pat-0103", "pat-0530" ], "confidence_breakdown": { "waf": 8, "classification": 68, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2c2f7964ac7971e254cec36837483540", "path_pattern_hash": "e84c630ed8a3a6084c1b662f626e7300" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 39 }, "payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'>", "payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "evidence": { "request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'>", "payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "edf33422bd5c73e144f7eeee85c79741cd3d5f7b", "protocol_details": { "payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "attack_vector": "xss attack \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 59%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SAP Diag", "confidence_pct": 59, "confidence_breakdown": { "waf": 8, "classification": 68, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 39 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 39, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "xss attack \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "evidence_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 96 }
17/06/2026 04:28:28 UTC	TCP	3201 · SAP Diag	sap-diag	Protocole TDS MSSQL mssql tds · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags mssql_tds net_mssql_tds sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload index� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) index� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 20, "payload_entropy": 2.1709505944546685, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 32, "tag_count": 5, "anomaly_count": 0, "campaign_key": "521f1fb9063024cc1e53b6fa10e7e0794598916a", "event_fingerprint": "4f8153c5ba9d6f95678f280bf98a35ddcbd67e3c", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 32 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "78303524a43907117dd5e6de4f427da3", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 32 }, "payload_preview": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fcda798431c37e6f64921d2f1c1bd08f0fd47f63", "protocol_details": { "payload_preview": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "index\ufffd", "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "index\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mssql_tds", "net_mssql_tds", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:25 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload ��JoinåNodes�UserStateLen��Addr��8�Incarnation�Meta��Name�DESKTOP-NR8TTVR�Port� �State�Vsn� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��JoinåNodes�UserStateLen��Addr��8�Incarnation�Meta��Name�DESKTOP-NR8TTVR�Port� �State�Vsn� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 118, "payload_entropy": 5.151202745659785, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e4c389aa171b6c4fc8c08b745ec87f45", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "request_sample": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "payload_snippet": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "evidence": { "request_sample": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "payload_snippet": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d0a272f5a85df2b5df7b0b461ee57ccd02115b8", "protocol_details": { "payload_preview": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffdJoin\u00e5Nodes\ufffdUserStateLen\ufffd\ufffdAddr\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdIncarnation\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\n\ufffdState\ufffdVsn\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdJoin\u00e5Nodes\ufffdUserStateLen\ufffd\ufffdAddr\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdIncarnation\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\n\ufffdState\ufffdVsn\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:22 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde RDP rdp probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Investiguer Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload � Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0348 pat-0352 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header RDP negotiation ET H.323 setup Mumble ping Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 11, "payload_entropy": 1.6729330318733675, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0348", "pat-0352" ], "kb_rule_ids": [ "pat-0348", "pat-0352" ], "matched_patterns": [ "pat-0348", "pat-0352", "pat-0868", "pat-0768", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "RDP negotiation", "ET H.323 setup", "Mumble ping", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0352", "pat-0868", "pat-0768", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6771a78868614c6768349c36da4591da", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 50 }, "payload_preview": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ed2ed5692760f79ce4a3c56a816b4b7a49d7fce", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd", "attack_vector": "rdp probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via SAP Diag", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0348", "pat-0352" ], "tags_summary_labels_fr": [ "pat-0348", "pat-0352" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "rdp probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:19 UTC	TCP	3201 · SAP Diag	sap-diag	Protocole TDS MSSQL mssql tds · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload TNMPTNME Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0356 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) TNMPTNME Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 16, "payload_entropy": 2.5306390622295662, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 32, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0356", "pat-0554" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0356", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4128f0bf8d86360e67d6f2d54987a8fb", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 32 }, "payload_preview": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "request_sample": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "payload_snippet": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "evidence": { "request_sample": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "payload_snippet": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c84e1beb8d61fe7e144d2ce4bebd7bb04a2074c0", "protocol_details": { "payload_preview": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "TNMPTNME", "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0356" ], "tags_summary_labels_fr": [ "pat-0356" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "mssql tds \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "TNMPTNME", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:16 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde HTTP smuggling http smuggling probe · via SAP Diag:3201 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur SAP-DIAG WAF — Recommandation Investiguer Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload INVITES sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL SIP protocol User-Agent — Règles WAF — Payload (extrait) INVITES sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Requête brute (extrait) INVITES sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 223, "payload_entropy": 5.2138020186451035, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0384" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "SIP protocol" ], "pattern_ids": [ "pat-0842", "pat-0384" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a45f037b8553e06cc139b7e55155fc44", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 52 }, "payload_preview": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 ", "request_sample": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "evidence": { "request_sample": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfbf7586621a94740fa324a17400aafe4d3bb151", "protocol_details": { "payload_preview": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "attack_vector": "http smuggling probe \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SAP Diag", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "http smuggling probe \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "evidence_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:13 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde HTTP smuggling http smuggling probe · via SAP Diag:3201 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur SAP-DIAG WAF — Recommandation Investiguer Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL SIP protocol HTTP OPTIONS method SIP OPTIONS User-Agent — Règles WAF — Payload (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Requête brute (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 223, "payload_entropy": 5.197167462839961, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0384", "pat-0420", "pat-0535" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "SIP protocol", "HTTP OPTIONS method", "SIP OPTIONS" ], "pattern_ids": [ "pat-0842", "pat-0384", "pat-0420", "pat-0535" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0712a7f81d9d033f2caa8a8a90bbc4a8", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 52 }, "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 ", "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "evidence": { "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b3ed89e202bcb039d84eb4631d9cf8a0b84ca86", "protocol_details": { "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "attack_vector": "http smuggling probe \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SAP Diag", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "http smuggling probe \u00b7 via SAP Diag:3201 \u00b7 (tentative d'exploit)", "evidence_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:10 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde LDAP ldap probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 0 `� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0859 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ET LDAP anon bind Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) 0`� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 2.9852281360342516, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0859" ], "kb_rule_ids": [ "pat-0859" ], "matched_patterns": [ "pat-0859", "pat-0554" ], "matched_pattern_names": [ "ET LDAP anon bind", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0859", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "548b3df94bdc85e8b94b0de75b5e0379", "path_pattern_hash": "79ba87c92cce1f6abf5b6560fb8afdba" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 45 }, "payload_preview": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "request_sample": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "payload_snippet": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "evidence": { "request_sample": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "payload_snippet": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac7839b622eda641da4f8b5b5104cb6469f53d9e", "protocol_details": { "payload_preview": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "0`\ufffd", "attack_vector": "ldap probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0859" ], "tags_summary_labels_fr": [ "pat-0859" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "ldap probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "0`\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:07 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload 0�-c�$ d� objectClass0� Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0�-c�$ d�objectClass0� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 51, "payload_entropy": 3.7946877264252636, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "edc124f1d34ba290330abcac2736b204", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "request_sample": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86a8a4c7ec4cedc614568e9b9f0b622a6ace0e60", "protocol_details": { "payload_preview": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "0\ufffd-c\ufffd$\n\nd\ufffdobjectClass0\ufffd", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "0\ufffd-c\ufffd$\n\nd\ufffdobjectClass0\ufffd", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:04 UTC	TCP	3201 · SAP Diag	sap-diag	modbus probe modbus probe · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload ��versionfGH� =Z ��YKI � ģA��/Satoshi:0.15.1/ Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 33 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0357 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Modbus TCP header Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��versionfGH� =Z ��YKI � ģA��/Satoshi:0.15.1/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 126, "payload_entropy": 3.6365655435185062, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 33, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0357" ], "kb_rule_ids": [ "pat-0357" ], "matched_patterns": [ "pat-0357", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Modbus TCP header", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0357", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "98cb3978bd8d0583d0e6d69919db9eca", "path_pattern_hash": "8ae4962b81dca47862d9dd3befc69030" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 33 }, "payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "ics_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e900d7dfb494e07b5c39b0f73d9797ae7d0d3130", "protocol_details": { "payload_preview": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdversionfGH\ufffd\r\t=Z\t\ufffd\ufffdYKI \ufffd\r\u0123A\ufffd\ufffd\ufffd\/Satoshi:0.15.1\/", "attack_vector": "modbus probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0357" ], "tags_summary_labels_fr": [ "pat-0357" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "modbus probe \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdversionfGH\ufffd\r\t=Z\t\ufffd\ufffdYKI \ufffd\r\u0123A\ufffd\ufffd\ufffd\/Satoshi:0.15.1\/", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:28:01 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload default Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0577 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) default Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 9, "payload_entropy": 3.169925001442312, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0577" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39b37e76df338b7381ea8bb116701c98", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0001default\n", "request_sample": "\u0001default\n", "payload_snippet": "\u0001default", "evidence": { "request_sample": "\u0001default\n", "payload_snippet": "\u0001default", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c01e78194adeae473150173f8214232a7ed8c9db", "protocol_details": { "payload_preview": "\u0001default", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "default", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0577" ], "tags_summary_labels_fr": [ "pat-0577" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001default", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "default", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:27:58 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags http_get_probe net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 53, "payload_entropy": 4.704058897836964, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 24, "tag_count": 5, "anomaly_count": 0, "campaign_key": "01ceb8c87a40d6fa42f5e666b2c2a99e17d46fba", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "sap-diag", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08bd34a37b11f5c307f84418e0c2a579", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 24 }, "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "evidence": { "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7fe17214e9f25a440664509b89a29ebabea99464", "protocol_details": { "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:27:55 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload l Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fda1bafa2dcc0edf358aa008f9942975d0e5e4e", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "l", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "l", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
17/06/2026 04:27:52 UTC	TCP	3201 · SAP Diag	sap-diag	Sonde SAP Diag/GUI Sonde SAP Diag/GUI · via SAP Diag:3201 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SAP-DIAG WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3201 Chemin / cible — Service SAP Diag Payload ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1. Requête brute (extrait) ��SMBr@@�PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 168, "payload_entropy": 4.517824025292926, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "TH", "dst_port": 3201, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5cb40ef5667cc05163a177c502ae7d2aad664cb0", "event_fingerprint": "be856d45158760e68b4d3e00ed7324babfe881e3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "service_name": "sap-diag", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c8b954e7bc1bc076c8d1bd64820e67f", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3201, "service": "sap-diag", "service_name": "sap-diag", "risk_score": 35 }, "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "evidence": { "request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002Samba\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26ee8c4849daeeaf4d816d6a1a5d00aaef12c917", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "sap-diag", "service_label_fr": "SAP Diag", "dst_port": 3201, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-diag", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMBr\u0000\u0000\u0000\u0000\b\u0001@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0006\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0002PC NETWORK PROGRAM 1.0\u0000\u0002MICROSOFT NETWORKS 1.03\u0000\u0002MICROSOFT NETWORKS 3.0\u0000\u0002LANMAN1.0\u0000\u0002LM1.", "port": 3201, "service": "sap-diag", "service_label_fr": "SAP Diag" }, "attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:3201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.", "target_port_label": "3201 \u00b7 SAP Diag", "emulator_service": "sap-diag", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_diag", "service_banner": "honeypot-sap-diag", "service_os": "linux", "dst_port": "3201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }

152.32.245.27

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence