Détails IP 158.106.204.166

Synthèse exécutive

Profil de menace

Score de risque 52/100 Moyen

Première observation 17/06/2026 18:11 UTC

Dernière observation 17/06/2026 20:49 UTC

Événements (période) 636

MITRE ATT&CK principal TA0007 507 occurrences

Activité suspecte · risque 38/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8

Comparaison ASN / FAI

ASN 46450 · 158.106.192.0/19 · ARIN · 636 événements sur la période pour cette IP.

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

MSMQ TCP 213 JETDIRECT TCP 203 EPMD TCP 200 WEBLOGIC TCP 12 HTTP TCP 8

MSMQ

213

JETDIRECT

203

EPMD

200

WEBLOGIC

HTTP

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

636 événement(s) — page 3/13

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 20:48:58 UTC	TCP	9100 · JETDIRECT	jetdirect	jetdirect jetdirect · via JETDIRECT:9100 · (sonde / probe)	Faible	Faible · 6
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur JETDIRECT WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9100 Chemin / cible — Service JETDIRECT Payload %-12345X@PJL INFO ID %-12345X Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 6 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0514 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) %-12345X@PJL INFO ID %-12345X Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a", "emulator_response_len": 40, "bytes_in": 34, "payload_entropy": 4.322756958897398, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "jetdirect", "app_proto": "jetdirect", "asn": 46450, "country": "US", "dst_port": 9100, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 6, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72", "event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0514" ], "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 6 }, "service_name": "jetdirect", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "32da1f0d5c5a68cb1ebf5d845ec43555", "path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080" }, "target_context": { "dst_port": 9100, "service": "jetdirect", "service_name": "jetdirect", "risk_score": 6 }, "payload_preview": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X\r\n", "request_sample": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X\r\n", "payload_snippet": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X", "evidence": { "request_sample": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X\r\n", "payload_snippet": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X", "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab3094fbc9d06d32b67415cd072d37833bf9b046", "protocol_details": { "payload_preview": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "evidence_snippet": "%-12345X@PJL INFO ID\r\n%-12345X", "attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 6 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 6, "risk_label": "Faible", "service_name": "jetdirect", "service_label_fr": "JETDIRECT", "dst_port": 9100, "protocol_emulated": true, "tags_summary": [ "pat-0514" ], "tags_summary_labels_fr": [ "pat-0514" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-jetdirect", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u001b%-12345X@PJL INFO ID\r\n\u001b%-12345X", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "evidence_snippet": "%-12345X@PJL INFO ID\r\n%-12345X", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "jetdirect", "service_banner": "honeypot-jetdirect", "service_os": "linux", "dst_port": "9100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 2, "behavior_priority": 72 }
17/06/2026 20:48:58 UTC	TCP	9100 · JETDIRECT	jetdirect	jetdirect jetdirect · via JETDIRECT:9100 · (sonde / probe)	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur JETDIRECT WAF — Recommandation Surveiller Tags http2_preface Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9100 Chemin / cible — Service JETDIRECT Payload PRI * HTTP/2.0 SM Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PRI * HTTP/2.0 SM Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a", "emulator_response_len": 40, "bytes_in": 33, "payload_entropy": 3.65045472541906, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "jetdirect", "app_proto": "jetdirect", "asn": 46450, "country": "US", "dst_port": 9100, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "098db2a192f38cf253c354b9432b98bacf217e3a", "event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "service_name": "jetdirect", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da74b3e9488c0813fcd76f6273b0c115", "path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080" }, "target_context": { "dst_port": 9100, "service": "jetdirect", "service_name": "jetdirect", "risk_score": 35 }, "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93790c5aadfd811073314389bbce9937b8789066", "protocol_details": { "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM", "attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "jetdirect", "service_label_fr": "JETDIRECT", "dst_port": 9100, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-jetdirect", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "jetdirect", "service_banner": "honeypot-jetdirect", "service_os": "linux", "dst_port": "9100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http2_preface" ] }
17/06/2026 20:14:54 UTC	TCP	4369 · EPMD	epmd	Sonde port 4369/TCP port 4369 tcp · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 16ee84a07b55074c Émulateur EPMD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Preuve honeypot — Sonde port 4369/TCP Connexion détectée sur le port 4369 (TCP) du capteur simulé. Service EPMD Payload ieU��random1random2random3random4 / 9�0 ,* Pourquoi cette classification : Type « port_4369_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 38 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ieU��random1random2random3random4/ 9�0 ,* Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 110, "payload_entropy": 4.269606220838881, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b7311c5a8b4d475aa3a4a336e2f83c02846c1df9", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8", "path_pattern_hash": "afe5dd09abed0d999a364e32ed80a9f9", "ja3": "16ee84a07b55074cb2751329bf1c8811", "ja4": "011b865e5f91ae5e1836c88110724dcb", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811", "tls_ja3": "771,47-10-19-57-4-255,13,,", "tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb", "tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74", "tls_version": "0x0303", "tls_cipher_count": 6, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea23fdc6bcb06c857e9f54c98d1f7024816c2f4d", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,", "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "tls_ja3": "16ee84a07b55074cb2751329bf1c8811", "tls_ja4": "011b865e5f91ae5e1836c88110724dcb", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
17/06/2026 20:14:53 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload n Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) n Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "76fae3c085bb43bf34b254b13bd8d00d", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0000\u0001n", "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "evidence": { "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "559c3d5270361df399d08cf6f4c93bb6f6e23c67", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "n", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "n", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:53 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 4, "payload_entropy": 1, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19432411cd8135385e7a48f57fde8e0b0802924a", "protocol_details": { "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:53 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload GET / HTTP/1.0 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 18, "payload_entropy": 3.461320140211008, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 0 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3a7633c347dae468c74c1448b6f653eb40537dfb", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ec63b40bcbc26b71deda762dfd844f0", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.0\r\n\r\n", "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "evidence": { "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1134cefe88f20c54d199afc67c90ff5d3c25a41", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.0", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "GET \/ HTTP\/1.0", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.0", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.0", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
17/06/2026 20:14:53 UTC	TCP	4369 · EPMD	epmd	Sonde port 4369/TCP port 4369 tcp · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Preuve honeypot — Sonde port 4369/TCP Connexion détectée sur le port 4369 (TCP) du capteur simulé. Service EPMD Payload SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Pourquoi cette classification : Type « port_4369_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 38 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) SO?G��,��`~��{�Ֆ�w��<=�o�n( fedcba` Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 88, "payload_entropy": 4.71356415999113, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 38, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b7311c5a8b4d475aa3a4a336e2f83c02846c1df9", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "80ab07029d5f302cd55bfd003a3a37f1", "path_pattern_hash": "afe5dd09abed0d999a364e32ed80a9f9" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "payload_snippet": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7fe7e198f3823d838b1f41bd70e9f551ac715f6e", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0000\u0000S\u0001\u0000\u0000O\u0003\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffd\u0010n\u0000\u0000(\u0000\u0016\u0000\u0013\u0000\n\u0000f\u0000\u0005\u0000\u0004\u0000e\u0000d\u0000c\u0000b\u0000a\u0000`\u0000\u0015\u0000\u0012\u0000\t\u0000\u0014\u0000\u0011\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd<=\ufffdo\ufffdn(\nfedcba`", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b2e0c58f56e9ee8c23c01e1fef06198", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17a858dfb5878f8541bac2763f83da5cb09ae28e", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload /00ID01 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) /00ID01 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b1d51b7b57d0e8ab6f7051937f849133", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\/00ID01\r", "request_sample": "\/00ID01\r", "payload_snippet": "\/00ID01", "evidence": { "request_sample": "\/00ID01\r", "payload_snippet": "\/00ID01", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e62e971a71464fb9d2f523b7c4e2be014fe59ee", "protocol_details": { "payload_preview": "\/00ID01", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\/00ID01", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\/00ID01", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\/00ID01", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	Sonde port 4369/TCP port 4369 tcp · via EPMD:4369 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags net_redis_probe redis_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Preuve honeypot — Sonde port 4369/TCP Connexion détectée sur le port 4369 (TCP) du capteur simulé. Service EPMD Payload PING Pourquoi cette classification : Type « port_4369_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PING Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 6, "payload_entropy": 2.584962500721156, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6a166c18c5c29bd1293d0ba9ab9d3f4cb843e309", "event_fingerprint": "a89222bb01ded4aa433289ba0c78d1e8d06697d9", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "epmd", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dedee95a5c3354a76fa11ee26963cbe7", "path_pattern_hash": "afe5dd09abed0d999a364e32ed80a9f9" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 40 }, "payload_preview": "PING\r\n", "request_sample": "PING\r\n", "payload_snippet": "PING", "evidence": { "request_sample": "PING\r\n", "payload_snippet": "PING", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d5f0cd67ec0f7cc558414c2c1541a6e9b2e89e1", "protocol_details": { "payload_preview": "PING", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "PING", "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "PING", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "PING", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_probe" ] }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload /01UG00 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) /01UG00 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ee1dc7ce8c714fcd1265f30e19b46ce8", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\/01UG00\r", "request_sample": "\/01UG00\r", "payload_snippet": "\/01UG00", "evidence": { "request_sample": "\/01UG00\r", "payload_snippet": "\/01UG00", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b229fab1a937df28a023bcdc765bb5ef48e72c93", "protocol_details": { "payload_preview": "\/01UG00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\/01UG00", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\/01UG00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\/01UG00", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload /00UG01 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) /00UG01 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6bb91333d0ff664d924b6571c1a88ab2", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\/00UG01\r", "request_sample": "\/00UG01\r", "payload_snippet": "\/00UG01", "evidence": { "request_sample": "\/00UG01\r", "payload_snippet": "\/00UG01", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab058cb244112b7b8d741bc98d146828a1cc0b3b", "protocol_details": { "payload_preview": "\/00UG01", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\/00UG01", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\/00UG01", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\/00UG01", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload �!�admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �!�admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) �!�admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "50e624ea0d0076b318258113b57916dd", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40e272bc56d52b0e43d0f3f557187e395e2a306f", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:48 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload /01GF00 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) /01GF00 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "72c7aa3f4b4bc0a869ff7ae0f7d9c65f", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\/01GF00\r", "request_sample": "\/01GF00\r", "payload_snippet": "\/01GF00", "evidence": { "request_sample": "\/01GF00\r", "payload_snippet": "\/01GF00", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "beeba78b8145be4dc1e50b12becfa6c65c9ce4ec", "protocol_details": { "payload_preview": "\/01GF00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\/01GF00", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\/01GF00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\/01GF00", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a5041c4c237adb2767e90f123d0d04c9", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u001b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u001b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u001b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b86e56a7cf4ef63d68a5a5dd9856813b0bbe2e12", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload 9�SMBr��SMB 2.100SMB 2.??? Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 9�SMBr��SMB 2.100SMB 2.??? Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 61, "payload_entropy": 3.067526085603591, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f3a79d06df74b9595fc2f33f2fff54b0", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "request_sample": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "payload_snippet": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "evidence": { "request_sample": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "payload_snippet": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2954d63f54e7fd1834717fb22480e80c12603e7", "protocol_details": { "payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "9\ufffdSMBr\ufffd\ufffd\ufffdSMB 2.100SMB 2.???", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "9\ufffdSMBr\ufffd\ufffd\ufffdSMB 2.100SMB 2.???", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	Sonde OPC-UA opcua probe · via EPMD:4369 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload HELF9��opc.tcp://62.3.50.33:4369 Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0626 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass OPC UA HEL Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) HELF9��opc.tcp://62.3.50.33:4369 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 57, "payload_entropy": 3.4801269332871874, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0626" ], "kb_rule_ids": [ "pat-0626" ], "matched_patterns": [ "pat-0103", "pat-0626", "pat-0554" ], "matched_pattern_names": [ "LFI Double-dot bypass", "OPC UA HEL", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0103", "pat-0626", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cccb4e847d50bc72de10475670c33cf", "path_pattern_hash": "9665a326f7d8f70f1661dab78807b951" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "request_sample": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "payload_snippet": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "evidence": { "request_sample": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "payload_snippet": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "271ba75488ce019bf7771e4265794af33462837b", "protocol_details": { "payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "HELF9\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/62.3.50.33:4369", "attack_vector": "opcua probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "classification_reason_label_fr": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0626" ], "tags_summary_labels_fr": [ "pat-0626" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:4369", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "opcua probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "HELF9\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/62.3.50.33:4369", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0577 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 12, "payload_entropy": 1.188721875540867, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0577" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "21cce3dca414e160647e5c8ea055408e", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f0ac47cf82ba630130409f91f1961e0b6ba87b1", "protocol_details": { "payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0577" ], "tags_summary_labels_fr": [ "pat-0577" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload l Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba3fc3e8c6fff21221d3a17ca1050ba1dee40326", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "l", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "l", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0c02e500fca406a185fa2b1942359dc9", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a41476455a18d60d540e76a12a232cc0a8d552c", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload I20100 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) I20100 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39fea238df890c005706b34a9316349a", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\u0001I20100\n", "request_sample": "\u0001I20100\n", "payload_snippet": "\u0001I20100", "evidence": { "request_sample": "\u0001I20100\n", "payload_snippet": "\u0001I20100", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce91be6df0c71b979cc68d767b7bb3ae1ced46d8", "protocol_details": { "payload_preview": "\u0001I20100", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "I20100", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0001I20100", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "I20100", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload 1 $4 PING Pourquoi cette classification :* Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis PING RESP User-Agent — Règles WAF — Payload (extrait) 1 $4 PING Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0414" ], "matched_pattern_names": [ "Redis PING RESP" ], "pattern_ids": [ "pat-0414" ], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a43cb6a3b9d261112714d00e36b33106", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "1\r\n$4\r\nPING\r\n", "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "evidence": { "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "556d0eed868941ada0f47db5f84a1cd39996209e", "protocol_details": { "payload_preview": "1\r\n$4\r\nPING", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "1\r\n$4\r\nPING", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "1\r\n$4\r\nPING", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "1\r\n$4\r\nPING", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags http2_preface Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload PRI * HTTP/2.0 SM Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PRI * HTTP/2.0 SM Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 33, "payload_entropy": 3.65045472541906, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "163edeca5e0f2b1a6918a65598185673d009d9a8", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da74b3e9488c0813fcd76f6273b0c115", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec2e485c9297f749b102fb441f322ed1292c6463", "protocol_details": { "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http2_preface" ] }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload >2!'�� Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) >2!'�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 38, "payload_entropy": 2.3985082772637103, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "21164128a00223274f8c6e16f6f9b38a", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "request_sample": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a0feb41c961c55581a76968fa83267ff8f2e5e5", "protocol_details": { "payload_preview": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": ">2!'\ufffd\ufffd", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000 \u0000\u0000\u0000>\u00032!\u0001\u0001\u0010'\u0001\u0001\u0001\u0001\u0001\u0001\ufffd\ufffd\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": ">2!'\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload /01ID00 Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) /01ID00 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "61f773eab0c68558b2e738208fa0680a", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\/01ID00\r", "request_sample": "\/01ID00\r", "payload_snippet": "\/01ID00", "evidence": { "request_sample": "\/01ID00\r", "payload_snippet": "\/01ID00", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7feea12a6335151384523830b7e29b42f74874e0", "protocol_details": { "payload_preview": "\/01ID00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\/01ID00", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\/01ID00", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\/01ID00", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:47 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload 1 $4 INFO Pourquoi cette classification :* Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis INFO User-Agent — Règles WAF — Payload (extrait) 1 $4 INFO Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0411" ], "matched_pattern_names": [ "Redis INFO" ], "pattern_ids": [ "pat-0411" ], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f97ce549efeee853d655f0c9276962a8", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "1\r\n$4\r\nINFO\r\n", "request_sample": "1\r\n$4\r\nINFO\r\n", "payload_snippet": "1\r\n$4\r\nINFO", "evidence": { "request_sample": "1\r\n$4\r\nINFO\r\n", "payload_snippet": "1\r\n$4\r\nINFO", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5337cdfc53e292bda249c8bc8393e2f7992d53e5", "protocol_details": { "payload_preview": "1\r\n$4\r\nINFO", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "1\r\n$4\r\nINFO", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "1\r\n$4\r\nINFO", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "1\r\n$4\r\nINFO", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload P�� Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) P�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 21, "payload_entropy": 2.389758003492557, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a68e8e7f92f816f679f58e667ea7351e", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "request_sample": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "payload_snippet": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "evidence": { "request_sample": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "payload_snippet": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e69fd959aaa429f7bc9aa783209ecf958d8770e", "protocol_details": { "payload_preview": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "P\ufffd\ufffd\ufffd", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "P\u0000\u0000\ufffd\ufffd\u0003\u0000\f\u0000\u0010\u0000\u0001\u0004\u0000\u0000\u0000\u0000\u0000\ufffd\u0001\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "P\ufffd\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b01512d56868747ce8dc803ed3976d26", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2b155de096877681c8335e8e1caef87821e56f5", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Sonde port 4369/TCP port 4369 tcp · via EPMD:4369 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Preuve honeypot — Sonde port 4369/TCP Connexion détectée sur le port 4369 (TCP) du capteur simulé. Service EPMD Payload �+<Mscannernetworkscan Pourquoi cette classification : Type « port_4369_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Mumble ping STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �+<Mscannernetworkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 156, "payload_entropy": 1.4164089161695235, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Mumble ping", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d3abe8023609a7751e3166377efabae7", "path_pattern_hash": "afe5dd09abed0d999a364e32ed80a9f9" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed1372d872e5710034937aa2d74f7ff3428623d3", "protocol_details": { "payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd+<Mscannernetworkscan", "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd+<Mscannernetworkscan", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload 500000FF03FF000018001004010000D0000000001 Pourquoi cette classification :* Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 500000FF03FF000018001004010000D0000000001 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 42, "payload_entropy": 1.8064617604546434, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "677dbb7235e9dcc588a2ba992e32da9e", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "500000FF03FF000018001004010000D0000000001", "request_sample": "500000FF03FF000018001004010000D0000000001", "payload_snippet": "500000FF03FF000018001004010000D0000000001", "evidence": { "request_sample": "500000FF03FF000018001004010000D0000000001", "payload_snippet": "500000FF03FF000018001004010000D0000000001", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3fc3915c5a9af61c6c7976ba7c7fd0768dd6af41", "protocol_details": { "payload_preview": "500000FF03FF000018001004010000D0000000001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "500000FF03FF000018001004010000D0000000001", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "500000FF03FF000018001004010000D0000000001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "500000FF03FF000018001004010000D0000000001", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload @�ͫ�gE# Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0577 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) @�ͫ�gE# Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 64, "payload_entropy": 1.2940976117890584, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0577" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "81af7e946d4402d6c4e2bd7875d7bbc3", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf568c0924c364f120c239596dbad6f369b4bcca", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "@\ufffd\u036b\ufffdgE#", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0577" ], "tags_summary_labels_fr": [ "pat-0577" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "@\ufffd\u036b\ufffdgE#", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Sonde port 4369/TCP port 4369 tcp · via EPMD:4369 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Preuve honeypot — Sonde port 4369/TCP Connexion détectée sur le port 4369 (TCP) du capteur simulé. Service EPMD Payload �� Pourquoi cette classification : Type « port_4369_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header S7 TPKT packet ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 22, "payload_entropy": 2.9864147115206285, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0376", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "S7 TPKT packet", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0376", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "56ec831c21f793ddb087e59cc39c62fe", "path_pattern_hash": "afe5dd09abed0d999a364e32ed80a9f9" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "evidence": { "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cff8043adec9acd29c337b536c06f9d601dedf7b", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd", "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_4369_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "port 4369 tcp \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload �� Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 7, "payload_entropy": 1.5566567074628228, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e866e1d989e997db6ebf852e781b0c09", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "request_sample": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d53ab98bd4f079988580a7d88e7c7270d4455cb", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "30f672e1822c8268f64ac92fd4073e77", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u0019\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u0019\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u0019\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "07f4e37e83c08a7c271f4c9bccf5e294a3e42292", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0019\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0019\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Sonde HTTP smuggling http smuggling probe · via EPMD:4369 · (tentative d'exploit)	Faible	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur EPMD WAF — Recommandation Investiguer Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload POST /wsman HTTP/1.1 Host: 62.3.50.33:4369 User-Agent: networkscan Content-Length: 252 Content-Type: application/soap+xml;ch Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL CRS 941130 LFI Double-dot bypass WinRM WS-Man User-Agent — Règles WAF — Payload (extrait) POST /wsman HTTP/1.1 Host: 62.3.50.33:4369 User-Agent: networkscan Content-Length: 252 Content-Type: application/soap+xml;ch Requête brute (extrait) POST /wsman HTTP/1.1 Host: 62.3.50.33:4369 User-Agent: networkscan Content-Length: 252 Content-Type: application/soap+xml;charset=UTF-8 Accept-Encoding: gzip <?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 418, "payload_entropy": 5.326012815827857, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15 }, "risk_score": 52, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0284", "pat-0103", "pat-0526" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "CRS 941130", "LFI Double-dot bypass", "WinRM WS-Man" ], "pattern_ids": [ "pat-0842", "pat-0284", "pat-0103", "pat-0526" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9e68fdf231fe771d8aeff737c2cf72f8", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 52 }, "payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "request_sample": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nAccept-Encoding: gzip\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap", "payload_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "evidence": { "request_sample": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nAccept-Encoding: gzip\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap", "payload_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6cd0c4081b39c511fc5df7ec917a5cb9b0c8609", "protocol_details": { "payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "attack_vector": "http smuggling probe \u00b7 via EPMD:4369 \u00b7 (tentative d'exploit)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via EPMD", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "http smuggling probe \u00b7 via EPMD:4369 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload �j��0�� 0�y0w�@�0�� 0 testuser� 62.3.50.33�0��0krbtgt 62.3.50.33�20260618201456Z� Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �j��0�� 0�y0w�@�0��0 testuser� 62.3.50.33�0��0krbtgt 62.3.50.33�20260618201456Z� Requête brute (extrait) �j��0�� 0�y0w�@�0�� 0 testuser� 62.3.50.33�0��0krbtgt 62.3.50.33�20260618201456Z�K1+� 0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 147, "payload_entropy": 5.450763394648839, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3406f02cc160508bf0a25c043afd284b", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006", "request_sample": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006\u0002\u0004K1+\ufffd\u000b0\t\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0017", "payload_snippet": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006", "evidence": { "request_sample": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006\u0002\u0004K1+\ufffd\u000b0\t\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0017", "payload_snippet": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aaf52c6caecf5173b726cb97949bc3dadf15705d", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\n\ufffd0\ufffdy0w\ufffd@\ufffd0\ufffd\ufffd0\ntestuser\ufffd\n62.3.50.33\ufffd0\ufffd\ufffd0krbtgt\n62.3.50.33\ufffd20260618201456Z\ufffd", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 15, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618201456Z\ufffd\u0006", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\n\ufffd0\ufffdy0w\ufffd@\ufffd0\ufffd\ufffd0\ntestuser\ufffd\n62.3.50.33\ufffd0\ufffd\ufffd0krbtgt\n62.3.50.33\ufffd20260618201456Z\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Sonde PostgreSQL postgres probe · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��k�1g�ύyI��p�s��0॔_ ���=�0��M+Xa��`ɮok��+�/�,�0̨̩� �� _ � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��k�1g�ύyI��p�s��0॔_ ���=�0��M+Xa��`ɮok��+�/�,�0̨̩� �� _� Requête brute (extrait) ��k�1g�ύyI��p�s��0॔_ ���=�0��M+Xa��`ɮok��+�/�,�0̨̩� �� _ � �� 2+3��lC��U8��">�\7�\��(6m� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 1483, "payload_entropy": 7.739810015101851, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b7311c5a8b4d475aa3a4a336e2f83c02846c1df9", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a17a44e1858a79ae0067750c952756f2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0001\ufffd\ufffd\u0004\ufffdk\u0005\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+X\u001a\u0017a\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0001\ufffd\ufffd\u0004\ufffdk\u0005\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+X\u001a\u0017a\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdlC\ufffd\u0017\ufffdU8\ufffd\u0012\ufffd\b\">\ufffd\\7\u0003\ufffd\\\ufffd\ufffd(6m\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0001\ufffd\ufffd\u0004\ufffdk\u0005\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+X\u001a\u0017a\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c91ae159d91402bc29d50ab7eb17add81ecf8fce", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0001\ufffd\ufffd\u0004\ufffdk\u0005\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+X\u001a\u0017a\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+Xa\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd", "attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0001\ufffd\ufffd\u0004\ufffdk\u0005\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd\ufffd\ufffd=\ufffd0\ufffd\ufffdM+X\u001a\u0017a\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd1g\ufffd\u03cdyI\ufffd\ufffd\ufffd\ufffdp\ufffds\ufffd\ufffd\ufffd\ufffd0\u0954_ \ufffd*\ufffd\ufffd=\ufffd0\ufffd\ufffdM+Xa\ufffd\ufffd\ufffd`\u026eok\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	Sonde PostgreSQL postgres probe · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��a0��~�j��5�� ^�W6�J��y� �"��s��nA�áZ4�@��z�z�E�g�+�/�,�0̨̩� �� _ � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��a0��~�j��5��^�W6�J��y� �"��s��nA�áZ4�@��z�z�E�g�+�/�,�0̨̩� �� _� Requête brute (extrait) ��a0��~�j��5�� ^�W6�J��y� �"��s��nA�áZ4�@��z�z�E�g�+�/�,�0̨̩� �� _ � �� 2+3��S�ɐ�&0Ґ��&Lf Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 1483, "payload_entropy": 7.741707149329371, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b7311c5a8b4d475aa3a4a336e2f83c02846c1df9", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e003ceb6d06ed7b16eab77fe266fa475", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffda\u0012\u00180\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\f\ufffd^\ufffdW6\ufffdJ\ufffd\u0018\ufffdy\ufffd\u0019 \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\u000f\ufffdz\ufffdz\ufffdE\ufffdg\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffda\u0012\u00180\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\f\ufffd^\ufffdW6\ufffdJ\ufffd\u0018\ufffdy\ufffd\u0019 \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\u000f\ufffdz\ufffdz\ufffdE\ufffdg\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\u001b\ufffd\ufffdS\u0002\ufffd\u0250\ufffd&\u0019\u001e\u001f0\u0490\ufffd\u001a\ufffd&Lf\u001c", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffda\u0012\u00180\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\f\ufffd^\ufffdW6\ufffdJ\ufffd\u0018\ufffdy\ufffd\u0019 \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\u000f\ufffdz\ufffdz\ufffdE\ufffdg\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cd666cb13fee45cd6c7d47f1234613f60f6fd6e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffda\u0012\u00180\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\f\ufffd^\ufffdW6\ufffdJ\ufffd\u0018\ufffdy\ufffd\u0019 \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\u000f\ufffdz\ufffdz\ufffdE\ufffdg\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffda0\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdW6\ufffdJ\ufffd\ufffdy\ufffd \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\ufffdz\ufffdz\ufffdE\ufffdg\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd", "attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffda\u0012\u00180\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\f\ufffd^\ufffdW6\ufffdJ\ufffd\u0018\ufffdy\ufffd\u0019 \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd\u00e1Z4\ufffd@\ufffd\u000f\ufffdz\ufffdz\ufffdE\ufffdg\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffda0\ufffd\ufffd~\ufffdj\ufffd\ufffd5\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdW6\ufffdJ\ufffd\ufffdy\ufffd \n\ufffd\"\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdnA\ufffd*\u00e1Z4\ufffd@\ufffd\ufffdz\ufffdz\ufffdE\ufffdg\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
17/06/2026 20:14:46 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22531c50c4076e9401fba28a066d3db96533aa19", "protocol_details": { "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "323d54e8666ed8f5e6dc4ef6aac777ba", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4652366fb5fa0346bcb6485ea7ddd9a6f06c06da", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	Sonde montage NFS nfs mount · via EPMD:4369 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload �(NFS0�� Pourquoi cette classification : Type « nfs_mount » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0379 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header NFS mount string ET H.323 setup NFS RPC mount Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �(NFS0�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 44, "payload_entropy": 1.6761360291184577, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "69072c431eb5cda35875dc7f045e2bcec0f41658", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0379" ], "kb_rule_ids": [ "pat-0379" ], "matched_patterns": [ "pat-0348", "pat-0379", "pat-0868", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "NFS mount string", "ET H.323 setup", "NFS RPC mount", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0379", "pat-0868", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "05d8460c0884d7c9182f9c7a3daeec10", "path_pattern_hash": "38dfb4397d753d5c3c57b50e7f57234c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 45 }, "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a8272cf3af701a6f771287fd6f7814177f0d29e", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd(NFS0\ufffd\ufffd", "attack_vector": "nfs mount \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0379" ], "tags_summary_labels_fr": [ "pat-0379" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "nfs mount \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd(NFS0\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0577 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 14, "payload_entropy": 0.9463729359854419, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0577" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cbe24b60645a06f24f08a625fab65652", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4935ab99a8e2c4841ff6e166a66b03620d3a15ae", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0577" ], "tags_summary_labels_fr": [ "pat-0577" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 2, "behavior_priority": 72 }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "03b323dadcef05dca19696bce5990d11", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u0015\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u0015\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u0015\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc13bcb5200ec7afd4339173e960571098928598", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0015\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0015\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	Sonde montage NFS nfs mount · via EPMD:4369 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload �(NFS0�� Pourquoi cette classification : Type « nfs_mount » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0379 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) NFS mount string NFS RPC mount Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �(NFS0�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 44, "payload_entropy": 1.6761360291184577, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "69072c431eb5cda35875dc7f045e2bcec0f41658", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0379" ], "kb_rule_ids": [ "pat-0379" ], "matched_patterns": [ "pat-0379", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "NFS mount string", "NFS RPC mount", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0379", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "61a5832a37fd30843e8cf24483a0605f", "path_pattern_hash": "38dfb4397d753d5c3c57b50e7f57234c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 45 }, "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e43c1ad961308ddcc646995eedd751ede446dde5", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd(NFS0\ufffd\ufffd", "attack_vector": "nfs mount \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0379" ], "tags_summary_labels_fr": [ "pat-0379" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000(NFS0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "nfs mount \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd(NFS0\ufffd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	Sonde IEC 104 (SCADA) iec104 probe · via EPMD:4369 · (sonde / probe)	Faible	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload h Pourquoi cette classification : Type « iec104_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 33 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0564 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IEC104 STARTDT act Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) h Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 6, "payload_entropy": 1.792481250360578, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 33, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0564" ], "kb_rule_ids": [ "pat-0564" ], "matched_patterns": [ "pat-0564", "pat-0554" ], "matched_pattern_names": [ "IEC104 STARTDT act", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0564", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "92933e47b8e6d55397d8a0396a425791", "path_pattern_hash": "09bd81a4aaa94733fb840e5e256406fa" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 33 }, "payload_preview": "h\u0004\u0007\u0000\u0000\u0000", "request_sample": "h\u0004\u0007\u0000\u0000\u0000", "payload_snippet": "h\u0004\u0007\u0000\u0000\u0000", "evidence": { "request_sample": "h\u0004\u0007\u0000\u0000\u0000", "payload_snippet": "h\u0004\u0007\u0000\u0000\u0000", "classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "ics_probe", "ics_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a6bc70987fb5ab684f439b5ad39fd4f843c15dff", "protocol_details": { "payload_preview": "h\u0004\u0007\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "h", "attack_vector": "iec104 probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0564" ], "tags_summary_labels_fr": [ "pat-0564" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "h\u0004\u0007\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "iec104 probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "h", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	dnp3 probe dnp3 probe · via EPMD:4369 · (sonde / probe)	Faible	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload d�6Ld�ގd��d�wFd��d��Rd��Xd�\�d��d� �{d� �qd� X�d� Pourquoi cette classification : Type « dnp3_probe » (signaux protocolaires) · confiance 51% Confiance classification 51% Risque capteur Faible · 33 Confiance : Confiance 51 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0794 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Sigma DNP3 link RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) d�6Ld�ގd��d�wFd��d��Rd��Xd�\�d��d� �{d� �qd�X�d� Requête brute (extrait) d�6Ld�ގd��d�wFd��d��Rd��Xd�\�d��d� �{d� �qd� X�d� 2ed� ڧd��d�sod��d��)d��#d�P�d�:7d��d��d�{=d�>d� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 1010, "payload_entropy": 4.3443211035276414, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 33, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%", "confidence": 0.51, "classification_confidence": 0.51, "precision_score": 60, "precision_signals": [ "pat-0794" ], "kb_rule_ids": [ "pat-0794" ], "matched_patterns": [ "pat-0794", "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "Sigma DNP3 link", "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0794", "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 51, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7d3587032b33d30b8978ddc3a10bd429", "path_pattern_hash": "859b07b9d78548343d57aca7faf5fc6a" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 33 }, "payload_snippet": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000", "evidence": { "request_sample": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u00002e\u0005d\u0005\ufffd\r\u0000\u0000\u0000\u06a7\u0005d\u0005\ufffd\u000e\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u000f\u0000\u0000\u0000so\u0005d\u0005\ufffd\u0010\u0000\u0000\u0000\u0011\ufffd\u0005d\u0005\ufffd\u0011\u0000\u0000\u0000\ufffd)\u0005d\u0005\ufffd\u0012\u0000\u0000\u0000\ufffd#\u0005d\u0005\ufffd\u0013\u0000\u0000\u0000P\ufffd\u0005d\u0005\ufffd\u0014\u0000\u0000\u0000:7\u0005d\u0005\ufffd\u0015\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0016\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0017\u0000\u0000\u0000{=\u0005d\u0005\ufffd\u0018\u0000\u0000\u0000>\u001e\u0005d\u0005\ufffd\u0019\u0000", "payload_snippet": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000", "classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "ics_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25967bcda8ad29c5312099bcff2a61f583c1c113", "protocol_details": { "payload_preview": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "d\ufffd6Ld\ufffd\u078ed\ufffd\ufffd\ufffdd\ufffdwFd\ufffd\ufffdd\ufffd\ufffdRd\ufffd\ufffdXd\ufffd\\\ufffdd\ufffd\ufffdd\ufffd\t\ufffd{d\ufffd\n\ufffdqd\ufffdX\ufffdd\ufffd", "attack_vector": "dnp3 probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 51 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%", "classification_reason_label_fr": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 51, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0794" ], "tags_summary_labels_fr": [ "pat-0794" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "dnp3 probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "d\ufffd6Ld\ufffd\u078ed\ufffd\ufffd\ufffdd\ufffdwFd\ufffd\ufffdd\ufffd\ufffdRd\ufffd\ufffdXd\ufffd\\\ufffdd\ufffd\ufffdd\ufffd\t\ufffd{d\ufffd\n\ufffdqd\ufffdX\ufffdd\ufffd", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 51 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 51 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
17/06/2026 20:14:45 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 8
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload FINS Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 8 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0768 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) FINS Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 20, "payload_entropy": 1.3917601481809734, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 8, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0768" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7557767ca98bb300b1834588fbf18102", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 8 }, "payload_preview": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c719cba674e9742f37858e15cc7db8ce6c189a9c", "protocol_details": { "payload_preview": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "FINS", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 8, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0768" ], "tags_summary_labels_fr": [ "pat-0768" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "FINS\u0000\u0000\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "FINS", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 20:14:44 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cf217f1d9251a396b7e80094669c8cca", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a649ba39a6d542d3facda1bd1ec2862ce7d5d7b", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:44 UTC	TCP	4369 · EPMD	epmd	Protocole wire MongoDB mongodb wire protocol · via EPMD:4369 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags mongodb_hello_probe net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go- Requête brute (extrait) ��admin.$cmd��isMasterhelloOkcompressionclient�driver3namemongo-go-driverversion1.17.4os.typedarwinarchitecturearm64platform go1.26.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 231, "payload_entropy": 4.369460772401425, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "9b4e895a26960b7e91a5ee5603d3b9cfe009d403", "event_fingerprint": "6bd9161494d3ebd07ae8330ca635086f7a51a764", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "epmd", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8b4fba9b301d4a96c3bb5f846f9d7b9c", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 38 }, "payload_snippet": "\ufffd\u0000\u0000\u0000\u0011\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "evidence": { "request_sample": "\ufffd\u0000\u0000\u0000\u0011\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000\u0000\u0011\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f3424c6ff45750127e6e463bbda4029b362be16", "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0011\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\ufffd\u0000\u0000\u0000\u0011\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "mongodb wire protocol \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_mongodb_probe" ] }
17/06/2026 20:14:43 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload networkscan Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 13, "payload_entropy": 3.5465935642949384, "port_category": "registered", "org": "Pilot Fiber, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 46450, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "epmd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46450, "org": "Pilot Fiber, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa24e2ea0755ee07c26826db859cbad1", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 0 }, "payload_preview": "\u0003networkscan\n", "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "evidence": { "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05ad17783d0f4bfb80f9764872c094edee6875ce", "protocol_details": { "payload_preview": "\u0003networkscan", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "networkscan", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0003networkscan", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "networkscan", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 2, "behavior_priority": 72 }

158.106.204.166

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence