Détails IP 3.137.139.70

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « pptp_probe » (signaux protocolaires) · confiance 0%

Confiance 8 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 16509 · 3.128.0.0/10 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 7 événements sur la période pour cette IP.

44.220.188.101 Sonde TLS 15/06/2026 21:04 UTC
3.84.171.111 Sonde PostgreSQL 15/06/2026 21:03 UTC
18.220.92.255 Sonde PostgreSQL 15/06/2026 20:27 UTC
18.116.242.148 Sonde SIP/VoIP 15/06/2026 20:21 UTC
3.19.255.73 Tentative d'exploit 15/06/2026 19:48 UTC
35.95.58.130 Tentative d'exploit 15/06/2026 19:40 UTC
52.14.24.45 Sonde PostgreSQL 15/06/2026 19:33 UTC
13.217.95.0 Tentative d'exploit 15/06/2026 19:24 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

44.220.188.101 Sonde TLS
3.84.171.111 Sonde PostgreSQL
18.220.92.255 Sonde PostgreSQL
18.116.242.148 Sonde SIP/VoIP
3.19.255.73 Tentative d'exploit

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

ACCESSBUILDER TCP 4 PPTP TCP 3

ACCESSBUILDER

4

PPTP

3

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

7 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 19:25:57 UTC	TCP	1723 · PPTP	pptp	Sonde PPTP pptp probe · via PPTP:1723 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur PPTP WAF — Recommandation Surveiller Tags net_pptp_probe pptp_emulated pptp_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1723 Chemin / cible — Service PPTP Pourquoi cette classification : Type « pptp_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 3 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "emulator_response_len": 152, "bytes_in": 1, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "pptp", "app_proto": "pptp", "asn": 16509, "country": "US", "dst_port": 1723, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7f571a2fce7c469bfc57d5e48b3a69201915b70e", "event_fingerprint": "71584713bb04b570046daaa2c28d60858e61192a", "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "pptp", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "23335ae831d64e1fb258930612ed9faf" }, "target_context": { "dst_port": 1723, "service": "pptp", "service_name": "pptp", "risk_score": 24 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8469458b58fe3f0ec66842bea90a2688a034264c", "protocol_details": { "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "attack_vector": "pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "pptp", "service_label_fr": "PPTP", "dst_port": 1723, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pptp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "attack_vector": "pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pptp", "service_banner": "honeypot-pptp", "service_os": "linux", "dst_port": "1723" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "accessbuilder", "pptp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pptp_probe", "pptp_emulated", "pptp_payload" ], "asn_dc_heuristic": true }
15/06/2026 19:25:53 UTC	TCP	888 · ACCESSBUILDER	accessbuilder	Sonde PostgreSQL postgres probe · via ACCESSBUILDER:888 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur ACCESSBUILDER WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 888 Chemin / cible — Service ACCESSBUILDER Payload �� fY��/#?�7F�>��qؐ�g5>�J�j ��o�Ip��\C� 3��O��߷��&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� fY��/#?�7F�>��qؐ�g5>�J�j ��o�Ip��\C� 3��O��߷��&̨̩�/�0�+�,�� /5� { Requête brute (extrait) �� fY��/#?�7F�>��qؐ�g5>�J�j ��o�Ip��\C� 3��O��߷��&̨̩�/�0�+�,�� /5� { �+ 3&$ �F�Ǽ/�_��U�I�;+\|�2Ղ�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206163636573736275696c64657220726561647920706f72743d3838380d0a", "emulator_response_len": 43, "bytes_in": 243, "payload_entropy": 5.821508138939774, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "accessbuilder", "app_proto": "accessbuilder", "asn": 16509, "country": "US", "dst_port": 888, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8a6333597f4952d1e5ef27052026a6c588b2a929", "event_fingerprint": "b56863f7f50b0166998f71f7d1d3fee6f8d34cf7", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "accessbuilder", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2dd3f8286e61f74734e725d24755283b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 888, "service": "accessbuilder", "service_name": "accessbuilder", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\rfY\u0015\ufffd\ufffd\u0010\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0000\u0610\ufffdg5>\ufffd\u001aJ\ufffdj \u001f\ufffd\u0013\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\u001b\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\u0012\ufffd\ufffd\ufffd\ufffd\u0007\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\rfY\u0015\ufffd\ufffd\u0010\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0000\u0610\ufffdg5>\ufffd\u001aJ\ufffdj \u001f\ufffd\u0013\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\u001b\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\u0012\ufffd\ufffd\ufffd\ufffd\u0007\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdF\ufffd\u01fc\/\ufffd_\ufffd\ufffdU\u001c\u0005\ufffdI\u0017\ufffd\u0002;+\|\ufffd2\u000f\u0542\ufffd\ufffd\ufffd\ufffd\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\rfY\u0015\ufffd\ufffd\u0010\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0000\u0610\ufffdg5>\ufffd\u001aJ\ufffdj \u001f\ufffd\u0013\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\u001b\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\u0012\ufffd\ufffd\ufffd\ufffd\u0007\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "512f366b2ea35072c4a3c0092772e1cf50e407a7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\rfY\u0015\ufffd\ufffd\u0010\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0000\u0610\ufffdg5>\ufffd\u001aJ\ufffdj \u001f\ufffd\u0013\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\u001b\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\u0012\ufffd\ufffd\ufffd\ufffd\u0007\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\rfY\ufffd\ufffd\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0610\ufffdg5>\ufffdJ\ufffdj \ufffd\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "accessbuilder", "service_label_fr": "ACCESSBUILDER", "dst_port": 888, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-accessbuilder", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\rfY\u0015\ufffd\ufffd\u0010\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0000\u0610\ufffdg5>\ufffd\u001aJ\ufffdj \u001f\ufffd\u0013\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\u001b\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\u0012\ufffd\ufffd\ufffd\ufffd\u0007\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "postgres probe \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\rfY\ufffd\ufffd\/#?\ufffd7F\ufffd>\ufffd\ufffdq\u0610\ufffdg5>\ufffdJ\ufffdj \ufffd\ufffd\ufffdo\ufffdIp\ufffd\ufffd\ufffd\\C\ufffd 3\ufffd\ufffdO\ufffd\ufffd\ufffd\u07f7\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "accessbuilder", "service_banner": "honeypot-accessbuilder", "service_os": "linux", "dst_port": "888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "accessbuilder", "pptp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 19:25:46 UTC	TCP	1723 · PPTP	pptp	Sonde PostgreSQL postgres probe · via PPTP:1723 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur PPTP WAF — Recommandation Surveiller Tags net_pptp_probe pptp_emulated pptp_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1723 Chemin / cible — Service PPTP Payload �<��<��;��t��-T�c��W��D d�@�b=),��<�]�v@� X��P?&��J�&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �<��<��;��t��-T�c��W��D d�@�b=),��<�]�v@� X��P?&��J�&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �<��<��;��t��-T�c��W��D d�@�b=),��<�]�v@� X��P?&��J�&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ Y��G�5w0 d=�x##��7�D�jG� Meta JSON brut { "protocol_emulated": true, "emulator_response": "009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "emulator_response_len": 152, "bytes_in": 261, "payload_entropy": 5.857478212761479, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "pptp", "app_proto": "pptp", "asn": 16509, "country": "US", "dst_port": 1723, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "649f5bc17e8f924044d127d497957e9af62e3e9e", "event_fingerprint": "71584713bb04b570046daaa2c28d60858e61192a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "pptp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f1216453196396c5246d0086f756520c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 1723, "service": "pptp", "service_name": "pptp", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003<\ufffd\ufffd\ufffd\u000f<\ufffd\ufffd;\ufffd\ufffd\u0015\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=)\u0011\u0019,\ufffd\ufffd<\ufffd]\u0019\ufffdv@\ufffd\n\u000bX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003<\ufffd\ufffd\ufffd\u000f<\ufffd\ufffd;\ufffd\ufffd\u0015\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=)\u0011\u0019,\ufffd\ufffd<\ufffd]\u0019\ufffdv@\ufffd\n\u000bX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 Y\ufffd\ufffdG\ufffd5w0\b\nd\u000e=\ufffdx##\ufffd\ufffd7\ufffdD\ufffdj\u0003G\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003<\ufffd\ufffd\ufffd\u000f<\ufffd\ufffd;\ufffd\ufffd\u0015\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=)\u0011\u0019,\ufffd\ufffd<\ufffd]\u0019\ufffdv@\ufffd\n\u000bX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db0593c6f1f75e6d4c11e2044363199d738294fc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003<\ufffd\ufffd\ufffd\u000f<\ufffd\ufffd;\ufffd\ufffd\u0015\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=)\u0011\u0019,\ufffd\ufffd<\ufffd]\u0019\ufffdv@\ufffd\n\u000bX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "evidence_snippet": "\ufffd<\ufffd\ufffd\ufffd<\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=),\ufffd\ufffd<\ufffd]\ufffdv@\ufffd\nX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "pptp", "service_label_fr": "PPTP", "dst_port": 1723, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pptp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003<\ufffd\ufffd\ufffd\u000f<\ufffd\ufffd;\ufffd\ufffd\u0015\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=)\u0011\u0019,\ufffd\ufffd<\ufffd]\u0019\ufffdv@\ufffd\n\u000bX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "attack_vector": "postgres probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd<\ufffd\ufffd\ufffd<\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd-T\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffdD d\ufffd@\ufffdb=),\ufffd\ufffd<\ufffd]\ufffdv@\ufffd\nX\ufffd\ufffdP?&\ufffd\ufffdJ\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pptp", "service_banner": "honeypot-pptp", "service_os": "linux", "dst_port": "1723" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "accessbuilder", "pptp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_pptp_probe", "pptp_emulated", "pptp_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 19:24:42 UTC	TCP	1723 · PPTP	pptp	Sonde PPTP pptp probe · via PPTP:1723 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur PPTP WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_pptp_probe pptp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1723 Chemin / cible — Service PPTP Payload GET / HTTP/1.1 Host: 62.3.50.33:1723 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Pourquoi cette classification : Type « pptp_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 34 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1723 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1723 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "emulator_response_len": 152, "bytes_in": 191, "payload_entropy": 5.264961259123156, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "pptp", "app_proto": "pptp", "asn": 16509, "country": "US", "dst_port": 1723, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 34, "tag_count": 5, "anomaly_count": 0, "campaign_key": "220ed7bb2dabde39b668e47f4b0b228bea641de1", "event_fingerprint": "71584713bb04b570046daaa2c28d60858e61192a", "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "pptp", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2dd43db892d298e3c95c48458ac1b33c", "path_pattern_hash": "23335ae831d64e1fb258930612ed9faf" }, "target_context": { "dst_port": 1723, "service": "pptp", "service_name": "pptp", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c41edf3a3551ab9ef250cc66c04f141a3c9a0c9", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "pptp", "service_label_fr": "PPTP", "dst_port": 1723, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pptp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "port": 1723, "service": "pptp", "service_label_fr": "PPTP" }, "attack_vector": "pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1723\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "1723 \u00b7 PPTP", "emulator_service": "pptp", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pptp", "service_banner": "honeypot-pptp", "service_os": "linux", "dst_port": "1723" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "accessbuilder", "pptp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_pptp_probe", "pptp_emulated", "pptp_payload" ], "asn_dc_heuristic": true }
15/06/2026 19:24:31 UTC	TCP	888 · ACCESSBUILDER	accessbuilder	accessbuilder accessbuilder · via ACCESSBUILDER:888 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ACCESSBUILDER WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 888 Chemin / cible — Service ACCESSBUILDER Pourquoi cette classification : Type « accessbuilder » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206163636573736275696c64657220726561647920706f72743d3838380d0a", "emulator_response_len": 43, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "accessbuilder", "app_proto": "accessbuilder", "asn": 16509, "country": "US", "dst_port": 888, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "dd0aa48053c5ed85634b24f36b99c21549665b0a", "event_fingerprint": "b56863f7f50b0166998f71f7d1d3fee6f8d34cf7", "classification_reason": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "named_classification_skipped": false, "service_name": "accessbuilder", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "cd2fe1e1f588b76d342f6ca9e1858d9e" }, "target_context": { "dst_port": 888, "service": "accessbuilder", "service_name": "accessbuilder", "risk_score": 1 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf87c919f8b64e2a8a2eceeaa30a98a066e95a19", "protocol_details": { "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "accessbuilder \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "accessbuilder", "service_label_fr": "ACCESSBUILDER", "dst_port": 888, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-accessbuilder", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "accessbuilder \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "accessbuilder", "service_banner": "honeypot-accessbuilder", "service_os": "linux", "dst_port": "888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
15/06/2026 19:24:05 UTC	TCP	888 · ACCESSBUILDER	accessbuilder	accessbuilder accessbuilder · via ACCESSBUILDER:888 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ACCESSBUILDER WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 888 Chemin / cible — Service ACCESSBUILDER Pourquoi cette classification : Type « accessbuilder » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206163636573736275696c64657220726561647920706f72743d3838380d0a", "emulator_response_len": 43, "bytes_in": 1, "payload_entropy": 0, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "accessbuilder", "app_proto": "accessbuilder", "asn": 16509, "country": "US", "dst_port": 888, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "dd0aa48053c5ed85634b24f36b99c21549665b0a", "event_fingerprint": "b56863f7f50b0166998f71f7d1d3fee6f8d34cf7", "classification_reason": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "named_classification_skipped": false, "service_name": "accessbuilder", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "cd2fe1e1f588b76d342f6ca9e1858d9e" }, "target_context": { "dst_port": 888, "service": "accessbuilder", "service_name": "accessbuilder", "risk_score": 1 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5407652f1e6efeff4944901227f7586db1ba988b", "protocol_details": { "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "accessbuilder \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab accessbuilder \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "accessbuilder", "service_label_fr": "ACCESSBUILDER", "dst_port": 888, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-accessbuilder", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "accessbuilder \u00b7 via ACCESSBUILDER:888 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "accessbuilder", "service_banner": "honeypot-accessbuilder", "service_os": "linux", "dst_port": "888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
15/06/2026 19:22:48 UTC	TCP	888 · ACCESSBUILDER	accessbuilder	Botnet Mozi mozi pattern · via ACCESSBUILDER:888 · (commande & contrôle)	Élevée	Moyen · 43
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur ACCESSBUILDER WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 888 Chemin / cible — Service ACCESSBUILDER Payload GET / HTTP/1.1 Host: 62.3.50.33:888 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/1 Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 3 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:888 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/1 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:888 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206163636573736275696c64657220726561647920706f72743d3838380d0a", "emulator_response_len": 43, "bytes_in": 190, "payload_entropy": 5.290244297276417, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "accessbuilder", "app_proto": "accessbuilder", "asn": 16509, "country": "US", "dst_port": 888, "risk_waf": 8, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9bdfbbeb1b8b6b3a78f92e2766f1bb869a07cb8a", "event_fingerprint": "0b6e30bfddc6387c11df7cce23d55e1f4de2ee58", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "accessbuilder", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "986b3158564190685d61ca51de3f9a99", "path_pattern_hash": "762d384fab941f6d0c2239f19994f30e" }, "target_context": { "dst_port": 888, "service": "accessbuilder", "service_name": "accessbuilder", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9382b3794428ef12925b4fbd01ae3af24556a316", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "attack_vector": "mozi pattern \u00b7 via ACCESSBUILDER:888 \u00b7 (commande & contr\u00f4le)", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0011 \u2014 via ACCESSBUILDER", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 43 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 43, "risk_label": "Moyen", "service_name": "accessbuilder", "service_label_fr": "ACCESSBUILDER", "dst_port": 888, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-accessbuilder", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "port": 888, "service": "accessbuilder", "service_label_fr": "ACCESSBUILDER" }, "attack_vector": "mozi pattern \u00b7 via ACCESSBUILDER:888 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:888\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "target_port_label": "888 \u00b7 ACCESSBUILDER", "emulator_service": "accessbuilder", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "accessbuilder", "service_banner": "honeypot-accessbuilder", "service_os": "linux", "dst_port": "888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

3.137.139.70

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence