Renseignement sur les menaces

Indonésie

34.101.193.19

FAI Google LLC Première vue 14/06/2026 15:27 UTC Dernière vue 14/06/2026 15:27 UTC Risque Élevé

Période analysée : 2026-05-20 → 2026-06-19

Activité suspecte — risque 68/100 (Élevé) — MITRE T1083 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 69/100 Élevé

Première observation 14/06/2026 15:27 UTC

Dernière observation 14/06/2026 15:27 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 166 occurrences

Activité suspecte — risque 68/100 (Élevé) — MITRE T1083 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%

Confiance 100 % — Score WAF 100 · Bonus corrélation +8 · 4 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.101.192.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

147.185.133.174 Scanner web 19/06/2026 01:30 UTC
147.185.132.86 Scanner web 19/06/2026 01:30 UTC
35.203.210.103 Sonde port 19/06/2026 01:30 UTC
162.216.150.185 Scanner web 19/06/2026 01:30 UTC
162.216.149.100 Scanner web 19/06/2026 01:30 UTC
147.185.132.232 Scanner web 19/06/2026 01:30 UTC
35.203.211.67 Scanner web 19/06/2026 01:30 UTC
147.185.133.190 Scanner web 19/06/2026 01:29 UTC

Événements (filtres)

332

Première observation

14/06/2026 15:27 UTC

Dernière observation

14/06/2026 15:27 UTC

Dernière activité (filtres)

14/06/2026 15:27 UTC

Événements 7j

332

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 166 TLS TCP 166

HTTP

166

TLS

166

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8600 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

config file probe · via HTTP:8600 · (tentative d'exploit) · → /sendgrid/.env.production

Détails protocole

Méthode: GET
Chemin: /sendgrid/.env.production
User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.1…

Aperçu payload

GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit

Port / service

8600 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF

Technique MITRE

T1083

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

SIGMA-web-config-leak Http Sensitive Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

path_traversal config_leak_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

332 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

332 événement(s) — page 3/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /v2/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v2/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /v2/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KH Requête brute (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "8e592f6d195654b25f2887f372f19885a896c5f2", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "79d69dbab75f7603ce6f8ff1846eda4ce95a3fd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.4125724266516775, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "4523ffcbee7299267ec17fddafb676547b09ce88", "event_fingerprint": "f3913d32b77728e2dcf90f09359c6459c79f466a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "04bbf91f2f08f7f3f3865b9e75774fd0", "payload_hash": "dc18fc0d6e1b2318f076ef674736dbd3", "path_pattern_hash": "ea63ee477c90ac313ab228a937b8deee" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43e36d0a75642cf560a19e9ae1b715aab62f4a87", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/.env", "request_line": "GET \/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KH", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/.env", "request_line": "GET \/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.env", "evidence_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KH", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /sendgrid/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env UA Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /sendgrid/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /sendgrid/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/79.0.259819395 Mobile/17A5556d Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1. Requête brute (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/79.0.259819395 Mobile/17A5556d Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9437cba28d03b8e367f23e3163029fd837235870", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "32cb56247a35cc80b26561f128c72366c9be4e97", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.4242228757269295, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "d8c2f07d532285fc5eac19c8b80b87c91af8f886", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9ceb6144297d4f6896850fa4a6c56253", "payload_hash": "fd4832f1b468177323c7361abaef6325", "path_pattern_hash": "777e785d116a3190d6333410abb382c9" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "method": "GET", "path": "\/sendgrid\/.env", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A5556d Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A5556d Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "evidence": { "method": "GET", "path": "\/sendgrid\/.env", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A5556d Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A5556d Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a7d4682c1bb4bf2c2fca7201b1aee629a63b6be4", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env", "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A555\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env", "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A555\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env", "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /api/v3/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/v3/.env UA Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.… Émulateur HTTP WAF 53 Recommandation Investiguer Tags 950316:lfi-14 950318:lfi-14 950326:rce-0 950406:ssrf-3 Cible HTTP GET /api/v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /api/v3/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 8 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Probe /api/v3/ Ligne de requête `GET /api/v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com Requête brute (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "2c593fe199eecb4c868eab750ee5858e8cf2e9ce", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.188362377097092, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 13, "anomaly_count": 0, "campaign_key": "3197abdb9060e19e61f866d65725157a5a02680a", "event_fingerprint": "a0f4c411fb0b9309e1d19719a559576276927ed2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0103", "pat-0214" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/api\/v3\/" ], "pattern_ids": [ "pat-0103", "pat-0214" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e0769509f771e005fcee7274b57952ca", "payload_hash": "b1ef1ec99a48c562421fb946dfabf66d", "path_pattern_hash": "04909e92bace7d0131f14c363849c629" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com", "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "waf_tags": [ "950316:lfi-14", "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com", "evidence": { "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "waf_tags": [ "950316:lfi-14", "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f67af7c8ebe5eeb27bae00a1f18e9f6fb5d4dd0", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com.cn\/help.html)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Yahoo! Slurp China; http:\/\/misc.yahoo.com", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /apps/frontend/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /apps/frontend/.env UA Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /apps/frontend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/frontend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/53 Requête brute (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "36404e511934c3f5718d43e8b9255f671c846247", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "ba0ce57a366071a1ca1afd15a1a01a04ccdd2335", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.381708372988562, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "5fb2eb0856c43ae887308c2efd3e31d2d96a4850", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63744a9cc5fb43be066e30c7cf32e296", "payload_hash": "f4591d0f484a3c9a4e6d36b0e155e3a6", "path_pattern_hash": "a541762358ad3d2463e9e9180528a6a3" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/53", "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "821afeda8ee1df7e4f72a71a2c8591c894e21822", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/frontend\/.env", "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/frontend\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/frontend\/.env", "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/frontend\/.env", "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/53", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /www/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /www/.env UA Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /www/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /www/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /www/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.109 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.109 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ea67b68c631a162474288e15e298b20c2e8e6f67", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "f9a5f885118a1e31832caf4bc6622a0bd9e5d124", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.432127638973392, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "9d1360a4dcf02f60b0b5e7c7227690d9b50e2d5e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c0ca339d2cd731f07075ee801106ca02", "payload_hash": "46022bc4854af2ec511967dc4d642c7c", "path_pattern_hash": "9f8be2cd3d14d4c05416633fe809702c" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/www\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/www\/.env HTTP\/1.1", "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/www\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/www\/.env HTTP\/1.1", "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.109\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "04329172f71249c1df51b67d9ec2ba6d5304ddad", "protocol_details": { "http_method": "GET", "http_path": "\/www\/.env", "request_line": "GET \/www\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/www\/.env", "request_line": "GET \/www\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.env", "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /storage/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /storage/.env UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /storage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /storage/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /storage/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "87ebac2b3cc7ed6ba4ee408a82877492dcfa5d2e", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "b8ca2ea5c794124cded93c100b20da74277adc4e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.403731865226516, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "4b4289599b04bb90314321e7079e716fe7f0fd14", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b05785e0cf1ecbcc64b771618a4d8e5e", "payload_hash": "f80b949390b9e19512fec0e6e4257c68", "path_pattern_hash": "450e48008d46f59e9e14143fd8de05b2" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/storage\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/storage\/.env HTTP\/1.1", "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/storage\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/storage\/.env HTTP\/1.1", "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df52bacc66503d1accbb5eb7bfffc17bf6de0147", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/.env", "request_line": "GET \/storage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/.env", "request_line": "GET \/storage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/.env", "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /temp/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /temp/.env UA Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /temp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /temp/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /temp/.env HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Acc Requête brute (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ed06f2f1b1802b2bf443a12fa33354de95410b0f", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "a617862b9702a5eb0473c44d9afaf4e0da55a075", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 192, "payload_entropy": 5.2602178367520915, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "e3befb749872ce694eba653c1c71281d3de09dae", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "432b20c082f564bb8f0a327579c69c0e", "payload_hash": "18d81f7f0e6ebecb47de06629dd3fc93", "path_pattern_hash": "75ee17153df3d0dbe793fbb0bd486a6b" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAcc", "method": "GET", "path": "\/temp\/.env", "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/temp\/.env HTTP\/1.1", "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAcc", "evidence": { "method": "GET", "path": "\/temp\/.env", "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/temp\/.env HTTP\/1.1", "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAcc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b62fae2e98aef8fe82695da8eb4f2759558d13fe", "protocol_details": { "http_method": "GET", "http_path": "\/temp\/.env", "request_line": "GET \/temp\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAcc", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/temp\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/temp\/.env", "request_line": "GET \/temp\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/temp\/.env", "evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAcc", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /web/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /web/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /web/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /web/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/65.0.3325.181 Chrome/65.0.3325.181 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/65.0.3325.181 Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4d2c8205d3aef70e0949276f0e2c286395c7d033", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "47bcdedb3b954688023f733564a003e944c34a32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.43536126304465, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "8785390b8004d2bde95e25a45888d3d7fa38cd37", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c4931ae9201e4d4a33cc801e74d4a5f", "payload_hash": "4479d7c3af584a16ac22edaeb371d305", "path_pattern_hash": "d80a28198e7c3b2ce080248f274b9024" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "917acbf4f56abd9c9541b91cc9f23527e098d80d", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.1\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.1\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /dashboard/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /dashboard/.env UA Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dashboard/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /dashboard/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dashboard/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4f807cd830453e03eaa7bb8398f168ee663261b2", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "a0df23adcbc250d22f3ea9c43cd45132cd7d119e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.394685254372959, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "38d5061ef608277f3f77735ac158fb82242ca346", "event_fingerprint": "7ff1a863745ad2e5daea6116960786afcd9fa845", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3d46d65ae6e495fc85230f828e001267", "payload_hash": "e83443935c67df1e338c3a66dd324194", "path_pattern_hash": "90b830636acb1be7da7ed46e94f3bb1d" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7c55c6878b47dbcdc2b8b7c5e93e4211e302454", "protocol_details": { "http_method": "GET", "http_path": "\/dashboard\/.env", "request_line": "GET \/dashboard\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dashboard\/.env", "request_line": "GET \/dashboard\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.env", "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3) AppleWebKit\/537.36 (KHT", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_traefik", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /cms/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /cms/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /cms/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /cms/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /cms/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "6a51cf6ef766553254f1318ff2fba187584ada2c", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "83c0a8815eca606b22325f7ae33170918a4904ee", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.425290806104213, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "ecd8008ebe91566ae29c571ce59a40744420b1de", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e97807800cc3b161579f8adfdbda56ff", "payload_hash": "82b8c649698e67addcf5a731bb9e1d7b", "path_pattern_hash": "202848a338e2a8411edbe9c852ffc90f" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/cms\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/cms\/.env HTTP\/1.1", "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/cms\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/cms\/.env HTTP\/1.1", "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0dc4b43a5adc867ba2e87a1574929439c24601f5", "protocol_details": { "http_method": "GET", "http_path": "\/cms\/.env", "request_line": "GET \/cms\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cms\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/cms\/.env", "request_line": "GET \/cms\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cms\/.env", "evidence_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /sendgrid.env	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.3 Requête brute (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "8fe78328d262057c27b52a67fb6578e07ef3e588", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "3719861ea949dc2f70a7ae8ced2a838a6837f706", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.421543166918988, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8633490ebe10dd3eb2931c5f06f8b9687eab1a42", "event_fingerprint": "10eea429cdc60cc5fe656607b9c331fdecffd578", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aefe0aa60c3e3b58db92218df8eb3730", "payload_hash": "cfb1eb67245b6a07bca45bb34012b226", "path_pattern_hash": "ca36907c59a1a3482046c81a2d773198" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "method": "GET", "path": "\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.env HTTP\/1.1", "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.env HTTP\/1.1", "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "210fd398e5f27879d339e8bc88ab54b5489973a7", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.env", "request_line": "GET \/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.env", "request_line": "GET \/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.env", "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /packages/api/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /packages/api/.env UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /packages/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /packages/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /packages/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 EdgA/42.0.2.3819 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 Requête brute (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 EdgA/42.0.2.3819 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "d0b32e6b556f817809a1967927b8d8d2e7678b0a", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "fd8fe30f25c6601a86628e4b53931f0feb977f1a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.434106802394775, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "2eae525c5f6fd1b09e0c51e6fdb15065cb29b180", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b23dbbd191472317e2f36acdeb2915f6", "payload_hash": "09829f0aaa99816ae42f949ce705ed18", "path_pattern_hash": "226ad246bf9a22935f1389885ad08c73" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 ", "method": "GET", "path": "\/packages\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/packages\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d6c908c79a3dfaee98f4b17f34b04d0386182b0", "protocol_details": { "http_method": "GET", "http_path": "\/packages\/api\/.env", "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.3\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/packages\/api\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/packages\/api\/.env", "request_line": "GET \/packages\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.3\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/packages\/api\/.env", "evidence_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env~	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env~ UA Uzbl (Webkit 1.3) (Linux i686 [i686]) Émulateur HTTP WAF 8 Recommandation Surveiller Tags 950514:leak-1 http_backup_file_scan http_sensitive_path net_flood Cible HTTP GET /.env~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env~ Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « leak-1 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 47 Confiance : Confiance 100 % — Motif catalogue confirmé · 1 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env~ HTTP/1.1` User-Agent Uzbl (Webkit 1.3) (Linux i686 [i686]) Règles WAF leak-1 Payload (extrait) GET /.env~ HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686]) Accept-Charset: utf-8 Accept-Enc Requête brute (extrait) GET /.env~ HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686]) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env~", "http_ua_hash": "d26eab59ef7aebc1c5985aae4552f1ebd7aa0558", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "1226c0debb1b75494a73e965e6d8cdcb9b1ead38", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 162, "payload_entropy": 5.236003685973226, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 40, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 40, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49328edc18fb70b28e5d0be648f05aa8a0762837", "event_fingerprint": "4311778ee82569d3a3a7411ef86040dfec16f493", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 240, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 40, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "91f6acd3814db78860f3895180f75f5e", "payload_hash": "3acda8a7b5f3812d68c610314a45ed2a", "path_pattern_hash": "cf5f67b633918a8bfbe3f2b4d6e8e9e1" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Enc", "method": "GET", "path": "\/.env~", "user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "waf_tags": [ "950514:leak-1" ], "waf_rule_names": [ "leak-1" ], "request_line": "GET \/.env~ HTTP\/1.1", "request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Enc", "evidence": { "method": "GET", "path": "\/.env~", "user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "waf_tags": [ "950514:leak-1" ], "waf_rule_names": [ "leak-1" ], "request_line": "GET \/.env~ HTTP\/1.1", "request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Enc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d52632fcac1d448cdebdf92220f81329a00d4e78", "protocol_details": { "http_method": "GET", "http_path": "\/.env~", "request_line": "GET \/.env~ HTTP\/1.1", "http_user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Enc", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env~", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 40, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env~", "request_line": "GET \/.env~ HTTP\/1.1", "http_user_agent": "Uzbl (Webkit 1.3) (Linux i686 [i686])", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env~", "evidence_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Uzbl (Webkit 1.3) (Linux i686 [i686])\r\nAccept-Charset: utf-8\r\nAccept-Enc", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /uat/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /uat/.env UA Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /uat/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /uat/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /uat/.env HTTP/1.1` User-Agent Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/53 Requête brute (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "bfe337f65b96ab2d85f1b043e52e4d4dbcabeb8e", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "1eb2933a38e1b26e0106588b5505e9710f93d6fb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.423045998493688, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "cb6fec0edfd2d24e92615192d04a8d844ac61de1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "191b84648989c0b55455be235ffc5e52", "payload_hash": "2172c0532c285572c01281a677f0d4de", "path_pattern_hash": "1a8fcb54c8457aab1171c5a3ff6b1128" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/53", "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b095982fe5ce42ad10b7c2dd295aeca8d246429", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/53", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /v1/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v1/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /v1/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "2ab3c726caac14dfa232a4a9e2c3acf713174070", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "0f6d25494f66c35cd0bd7eb1054d443c9b0c6f63", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.4214543276820315, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "4523ffcbee7299267ec17fddafb676547b09ce88", "event_fingerprint": "e116ead99823a3c3a493745060bbfd432bf816d8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9512b91ef45b70868033930922efd0f4", "payload_hash": "fdf2001d5adaf3651ffe6e8612e2efc3", "path_pattern_hash": "a29d1f8ccacc51ac2e54fe6653b8d5f0" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/v1\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/v1\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "219b596c015aaa4197d63845d4b1eb4c5f2d28ae", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/.env", "request_line": "GET \/v1\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/.env", "request_line": "GET \/v1\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.env", "evidence_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /services/auth/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/auth/.env UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/auth/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /services/auth/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/auth/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck Requête brute (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "987f63cbb9c3436380f0c5ba7c4c8f73d9cb4a61", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "09b20d19aa313f464eacd68829b3fab12fccb496", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.305117168662697, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "16b845be25df3e5d6601ab6f2360cb4550cca5af", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3a804c3ecc17f3b2520fd1567c5a1897", "payload_hash": "7387e28fadc1736fcff1e94f1aa9f497", "path_pattern_hash": "465b6d455db6ce12c0bb2d49f4cfba7e" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck", "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck", "evidence": { "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1510c33eac54fc8e26cab347b35343bc45824d2e", "protocol_details": { "http_method": "GET", "http_path": "\/services\/auth\/.env", "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/auth\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/auth\/.env", "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/auth\/.env", "evidence_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Geck", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /dev/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /dev/.env UA Mozilla/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dev/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /dev/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dev/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build/PKQ1.181203.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.8… Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build/PKQ1. Requête brute (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build/PKQ1.181203.001) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "7baad4190d9937938a97144245e757a8444835fc", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "95dbd9173b5580a94a3583c1e8d31bee303be7a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 329, "payload_entropy": 5.460669095807161, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "3e0c44fffeb9f0beadc1c29a047e4959525f0847", "event_fingerprint": "edffbc04355a65e9d8de890520fce0076d50a55b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "290f154625b3ad1ddfd4d8953366cc62", "payload_hash": "a1114a5b32ef069b66b95d16c1db8648", "path_pattern_hash": "5776ea19ec2f88a0568ff0bc7de6e909" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.", "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.8-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.", "evidence": { "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.8-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12055464461fdd1de255b1932a505fa79c1da17f", "protocol_details": { "http_method": "GET", "http_path": "\/dev\/.env", "request_line": "GET \/dev\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko)\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dev\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dev\/.env", "request_line": "GET \/dev\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.181203.001) AppleWebKit\/537.36 (KHTML, like Gecko)\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dev\/.env", "evidence_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-gb; Redmi Note 7 Pro Build\/PKQ1.", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_dev", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /app/sendgrid.env	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/sendgrid.env UA Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /app/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 ( Requête brute (extrait) GET /app/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "58c309d4af7f366e6b4a3f2f73401e578ab326f2", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "c4e386f94f6eeabfd7559193ad14662c752c4a14", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.416777598949728, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "321b8bae109541226d3bae2b92d326aee2f6a8fd", "event_fingerprint": "6483dafa4f36fc099cbda867f5bc7f6a63775792", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f21e92d9de247922063a172257e34376", "payload_hash": "7e2fe3200a357754c401ca12e07d143f", "path_pattern_hash": "6261a164ed75d70d1161dccf152278f4" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "method": "GET", "path": "\/app\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/app\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fda7617a72338170ab0795816f05c9fbf593c738", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.env", "request_line": "GET \/app\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.env", "request_line": "GET \/app\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.env", "evidence_snippet": "GET \/app\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973F) AppleWebKit\/537.36 (", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /backend/sendgrid.env	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.env UA Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /backend/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.3 Requête brute (extrait) GET /backend/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e6623f48c6205681e2990174a89fc08c5e628133", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "6ca5cdbc93351479900cbb16227fdccd897d6239", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.431737636612345, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "321b8bae109541226d3bae2b92d326aee2f6a8fd", "event_fingerprint": "fcccdc36f087342d5ebca484376f81784048aacb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9806245c10ff8d721773296f1ac813d6", "payload_hash": "c76a788b4b0b984b86f556b18bee072a", "path_pattern_hash": "7e30bd8e2fce0a25f9e4a2967db75cb4" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.3", "method": "GET", "path": "\/backend\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eed4256faa7d7fc4ddb747a70bebba74d0229cad", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.env", "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.env", "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.env", "evidence_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.3", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /email/sendgrid.env	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /email/sendgrid.env UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /email/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /email/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /email/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3542.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /email/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /email/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3542.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e5cc06d1781b327482951911897d723116552f08", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "7765a13ca36d03ce5c3bb95d98b761f9bdfc5359", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.40997792284797, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "321b8bae109541226d3bae2b92d326aee2f6a8fd", "event_fingerprint": "f254ad8c2b17db230c872d4ad1bf8125b6f244dc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "33ffb9e0728865beecfe8a07c8281523", "payload_hash": "b8093794778a02ba5fad43b93c9dfb13", "path_pattern_hash": "fa9fcbdbb4fa67e9ab4f6eaf7971e782" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/email\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/email\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f57be625267b024ac6ece403e2cc429f5ce0316f", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.env", "request_line": "GET \/email\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.env", "request_line": "GET \/email\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3542.0 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.env", "evidence_snippet": "GET \/email\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /mail/sendgrid.env	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /mail/sendgrid.env UA Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 http_probe_mail net_flood Cible HTTP GET /mail/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /mail/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mail/sendgrid.env HTTP/1.1` User-Agent Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mail/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Accept-Charse Requête brute (extrait) GET /mail/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Opera/9.20 (Macintosh; Intel Mac OS X; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "963772bc47a3191abae054027ab3cf3bd312afb4", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "918fb0707c3047f4a464183e84e60c7ef822770a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 182, "payload_entropy": 5.20875218873556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2e3610c18314f4a2435c8a7d10af4b2e666a37c5", "event_fingerprint": "24f1d219b35351ba8b440cb7768b9539741d4a93", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "568f244f4952b5686c6503e1501b5e39", "payload_hash": "fd30d295f4decbbae41ebc4f507d71ab", "path_pattern_hash": "b9496c7b6aaeb3d017c2f794092f550b" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charse", "method": "GET", "path": "\/mail\/sendgrid.env", "user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charse", "evidence": { "method": "GET", "path": "\/mail\/sendgrid.env", "user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charse", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdb38126234c3ec4a495f095fa5858a9697f6643", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.env", "request_line": "GET \/mail\/sendgrid.env HTTP\/1.1", "http_user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charse", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.env", "request_line": "GET \/mail\/sendgrid.env HTTP\/1.1", "http_user_agent": "Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.env", "evidence_snippet": "GET \/mail\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\r\nAccept-Charse", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "http_probe_mail", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /sendgrid/.env.backup	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.backup UA Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/3… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /sendgrid/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /sendgrid/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Fir Requête brute (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "51be3634ba4e4a58df8e12f83430a343c74959ff", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "7414e954936369312216016b538bc4f9a2118512", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.274621637166432, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "cff10a8d7738843f97998954bc741e67ee94f33b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5285b277d72c4ac82f931a2157ac21b8", "payload_hash": "8e9946076945f13cb6e74cf2a2607d6f", "path_pattern_hash": "19193774c73c1aaa5564e645d1415a95" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Fir", "method": "GET", "path": "\/sendgrid\/.env.backup", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.backup", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Fir", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0c4e16f473081cf3ff66bea8bcc942e3e1813bab", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.backup", "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Fir", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.backup", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.backup", "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.backup", "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Fir", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /app/.env.production	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.production UA Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /app/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /app/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Fi Requête brute (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "ca86e1f23aab36cc034b4424afef7d222582801e", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 226, "payload_entropy": 5.270587939272111, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "32c9b69c8b24451ef0a0f47d12ccde81c87639f9", "event_fingerprint": "09642245db8cfcfbec8c6a3b7589b0af4476ecef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f5c547752759dd419ea0c88e31c48e84", "payload_hash": "57a7474993f2029b2105b2fa5f2bc55c", "path_pattern_hash": "129b91fce99c27e6763c24ece35d5295" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Fi", "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Fi", "evidence": { "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Fi", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7ed7530ce39cd869984f0af424e70af7704e091", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Fi", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Firefox\/10.0.12 SeaMonkey\/2.7.2", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20130108 Fi", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /sendgrid/.env.prod	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.prod UA Mozilla/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /sendgrid/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /sendgrid/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit/537.3 Requête brute (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "7199e71bd0a4d770ac26317fe89e377f7110d480", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "0d25707b0f08affaf044e5e5e4a9b372cf0e8d19", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.381993876315849, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "480d00f8f84f7c088225ac8811a82665a1adcccd", "event_fingerprint": "70138ec3de099e15b3c123bdef51ae0594a4c516", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "35d869f1312ec7cd417807bdc1af127d", "payload_hash": "101e55b1648f97e08087ffbc080c1a2a", "path_pattern_hash": "7b6f2bf53da3271b0003640b70d40226" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.3", "method": "GET", "path": "\/sendgrid\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "74234b203c91bfa4b56c3b55e9d9e09a7889f325", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.prod", "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.prod", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.prod", "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.prod", "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H850) AppleWebKit\/537.3", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /api/backend/.env	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/backend/.env UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/537.36… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /api/backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/537. Requête brute (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "a7ef0bcebe0bdc9f8d9ce22bcf1aac4b6aab624c", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "e525470447161ee4034567dbf14d4d4a54f52f46", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.408738144797769, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 9, "anomaly_count": 0, "campaign_key": "306f514feea42609f7fd0115d7f2f6faea375af0", "event_fingerprint": "87339b910ef4427d15839ea05772d915a8d51334", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "df15bd5e6457d72adcbd668478fbb1ca", "payload_hash": "6dd3e236bed45251626ca9c02cb7fba5", "path_pattern_hash": "ad852d1414999713ac2638aba79c8ff5" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.", "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "18ca7a7f03dab3f0b54f69d2774ab014849d8ee1", "protocol_details": { "http_method": "GET", "http_path": "\/api\/backend\/.env", "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/backend\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/backend\/.env", "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/backend\/.env", "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /app/.env.local	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.local UA P3P Validator Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950468:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /app/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /app/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.local HTTP/1.1` User-Agent P3P Validator Règles WAF nosqli-3 leak-1 Payload (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: P3P Validator Accept-Charset: utf-8 Accept-Encoding: gzip Co Requête brute (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: P3P Validator Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "5989c9bfd03fed74ff4f4437acc2f5da802b4085", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "6b35726d908ca1441d48958552cc4f0c6d6cdbcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.049135057147354, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2dfb4ac2ebd2522100ad64bae5ab2bd399b5019c", "event_fingerprint": "f74e9a37da9dd3b889189be94235d7c4f8e8dd92", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "df213ead450ded0e13e99557efc1bccf", "payload_hash": "ba18039f04222cd98845f775d27dd5f3", "path_pattern_hash": "d0aea5366423bcf3f26207cfc3fa52c7" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "method": "GET", "path": "\/app\/.env.local", "user_agent": "P3P Validator", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "evidence": { "method": "GET", "path": "\/app\/.env.local", "user_agent": "P3P Validator", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ff55678f923675ca896166d685d65d13647cdef", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "P3P Validator", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "P3P Validator", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:42 UTC	TCP	8600 · HTTP	http	Flood / DDoS http flood · via HTTP:8600 · (tentative d'exploit) · → /config/sendgrid.env	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.env UA Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /config/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Fir Requête brute (extrait) GET /config/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9d8b2fa1599c74e63591442cc4d813329231ea73", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "442d1e47f2d87d2eb61cbc03306278922032dd94", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.285296245811856, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b6c2aa508d3ee0a877dd761aa616994cb988c6eb", "event_fingerprint": "a6699359a2debe8e39a84c92c7545898ae3f5977", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e18edfb1656e9676e904e728003d5bd4", "payload_hash": "2b9e1b2157a86ee8bb1f49faf7b8a2ee", "path_pattern_hash": "063c352cd871139979301d261825ea56" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Fir", "method": "GET", "path": "\/config\/sendgrid.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/config\/sendgrid.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Fir", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b66b4c3f05ec6aa8d6ec174f22d1f102f9de17be", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.env", "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Fir", "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.env", "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.env", "evidence_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Fir", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8600 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8600 Chemin / cible — Service TLS Payload ��MyǮ�d�m!�x��\|�y�LTRr��N�{\� h;��M�\|�Ay�fL��i��/��N�b+,&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��MyǮ�d�m!�x��\|�y�LTRr��N�{\� h;��M�\|�Ay�fL��i��/��N�b+,&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��MyǮ�d�m!�x��\|�y�LTRr��N�{\� h;��M�\|�Ay�fL��i��/��N�b+,&�+�/�,�0̨̩� �� /5� w �+3&$ E09��b�ͯ�Q�7Pg�I��V2� -)� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.902031733062877, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "cacaa9946a8c0d0ae488852f09859c354d78607d", "event_fingerprint": "f36342292d616e4177df1c1938d2a305992708ad", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "3a2cbf2bbf4a323e5d261d53c14b0fc7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8600, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003My\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\u000f\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\u0003\u000e\ufffd\/\ufffd\ufffdN\u0017\ufffdb+,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003My\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\u000f\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\u0003\u000e\ufffd\/\ufffd\ufffdN\u0017\ufffdb+,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 E\u000309\ufffd\ufffdb\ufffd\u036f\ufffdQ\ufffd7Pg\ufffd\u0014I\ufffd\ufffd\u0017\ufffd\ufffdV2\ufffd\t-)\ufffd\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003My\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\u000f\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\u0003\u000e\ufffd\/\ufffd\ufffdN\u0017\ufffdb+,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "32f5d729433a864e35683cf454dacc4dc9ed360b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003My\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\u000f\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\u0003\u000e\ufffd\/\ufffd\ufffdN\u0017\ufffdb+,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8600, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdMy\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\/\ufffd\ufffdN\ufffdb+,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:8600 \u00b7 (sonde \/ probe)", "target_port_label": "8600 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003My\u01ee\ufffdd\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\u000f\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\u0003\u000e\ufffd\/\ufffd\ufffdN\u0017\ufffdb+,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8600, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8600 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdMy\u01ee\ufffd*d\ufffdm!\ufffdx\ufffd\ufffd\ufffd\|\ufffdy\ufffdLTRr\ufffd\ufffd\ufffd\ufffdN\ufffd{\\\ufffd h;\ufffd\ufffdM\ufffd\|\ufffdAy\ufffdfL\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\/\ufffd\ufffdN\ufffdb+,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8600 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.old	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.old UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "b3a96afeae4b6ab9fcb5170be19f4a12892285f6", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.393399416173603, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0c43356570693800be94ef7152e0a2c42dda8da9", "event_fingerprint": "9fd2a41ecea19148808b28fe29e7faf0c74a250d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25f672c9d3583e5b7f4ad296c1f6db00", "payload_hash": "3eb1f2a815eb67182c18070db64a4e94", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed2a26306c51e436646fb6aec6adc93686986204", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.old", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.old", "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTM", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.demo	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.demo UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.demo TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.demo Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.demo HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Acc Requête brute (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "demo", "http_ua_hash": "c14bf96833bdd8aa770bb9da7ac2822dec887995", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "281117a46ffb6dbe77926884a25652c0da93651c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 192, "payload_entropy": 5.265189807806172, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "fc6444ea2bd70416bb4f32c34b10768c2c26fe22", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c6a2bcb6a6c371918bafda16a1164505", "payload_hash": "2200a03f5509f17d819b0fb186edfda8", "path_pattern_hash": "ff56ce56a447b9537c511ab389b44d21" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAcc", "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAcc", "evidence": { "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAcc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b238b4f0fb2a7114f1084f01adcb0582214ba650", "protocol_details": { "http_method": "GET", "http_path": "\/.env.demo", "request_line": "GET \/.env.demo HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAcc", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.demo", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.demo", "request_line": "GET \/.env.demo HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.demo", "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0)\r\nAcc", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.copy	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.copy UA Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.copy TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.copy Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.copy HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "copy", "http_ua_hash": "36404e511934c3f5718d43e8b9255f671c846247", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "7c2ae66345773d74e41beccb46e084de01a9b535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.39235601779975, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "cfa5f293f730698071d15b157aef1af37e10eb82", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63744a9cc5fb43be066e30c7cf32e296", "payload_hash": "80b4b639f7b726abf0b049dc5d05a47f", "path_pattern_hash": "1582af18ca1ce6e54d4467e471b637e8" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c5eb4489a4ef04dc5c9b254374cf64f07bddd09e", "protocol_details": { "http_method": "GET", "http_path": "\/.env.copy", "request_line": "GET \/.env.copy HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.copy", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.copy", "request_line": "GET \/.env.copy HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.copy", "evidence_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 (KHT", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.orig	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.orig UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.orig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.orig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.orig HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/2010091 Requête brute (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "orig", "http_ua_hash": "987f63cbb9c3436380f0c5ba7c4c8f73d9cb4a61", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "a5360e8b4c24130ce7b83ff2db501eac1df0996e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.295959884211408, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "708e3f8c8bb9681a3f262b68b5b788b11bcf939e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3a804c3ecc17f3b2520fd1567c5a1897", "payload_hash": "5ea4ee97f002a92e46aa846d8783fbd6", "path_pattern_hash": "74a5485724e3b49c70feec62176e92c9" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/2010091", "method": "GET", "path": "\/.env.orig", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.orig HTTP\/1.1", "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/2010091", "evidence": { "method": "GET", "path": "\/.env.orig", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.orig HTTP\/1.1", "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/2010091", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdf89ab1197cffe13f6453df83bad60ee3140d23", "protocol_details": { "http_method": "GET", "http_path": "\/.env.orig", "request_line": "GET \/.env.orig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/2010091", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.orig", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.orig", "request_line": "GET \/.env.orig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/20100916 Iceape\/2.0.8", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.orig", "evidence_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko\/2010091", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.preprod	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.preprod UA Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHT… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.preprod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.preprod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.preprod HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTM Requête brute (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "preprod", "http_ua_hash": "0c061325dc9a0bc5242bf536604db0cd9672ddfc", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "67166fa60459969a35e979b1c3340b3415271d3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.376565286828751, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "bc91377dd7879d8601c4a48bd89f38ac0ef5bfc3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f4f118e82698980f558632c42646ff8d", "payload_hash": "e99e655b072f0356e2886c38086c4caf", "path_pattern_hash": "56c2098c6a61c7ac0db82c4db6400ced" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTM", "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTM", "evidence": { "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4158da06db1bc8e62dd41f81ff121994eb3aed93", "protocol_details": { "http_method": "GET", "http_path": "\/.env.preprod", "request_line": "GET \/.env.preprod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.preprod", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.preprod", "request_line": "GET \/.env.preprod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTML, like Gecko) Safari\/531.2 Epiphany\/2.30.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.preprod", "evidence_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit\/531.2 (KHTM", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.example	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.example UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.example TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.example Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.example HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML like Gecko) Version/6.0.2 Safari/536.26.17 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26 Requête brute (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML like Gecko) Version/6.0.2 Safari/536.26.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "example", "http_ua_hash": "18baebc31ef70b1e291af230dc7070ad6a4b261f", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.372053431912903, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "448c03c0b7c5c5290121f74f598ee0ba0999e8e1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "48e0655d0896428817e0482c143e4968", "payload_hash": "92a54dd90fd91f657b7146e8321af49a", "path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26", "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26", "evidence": { "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a464ad566dfaa4af5b657cde4c9e8912899c022d", "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26.17 (KHTML like Gecko) Version\/6.0.2 Safari\/536.26.17", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit\/536.26", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /backend/api/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/api/.env UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /backend/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/80.0.180 Chrome/74.0.3729.180 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/80.0.180 Chrome/74.0.3729.180 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "4cdd8a798554dcb7cb32c818cfdd182cc385b07d", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "7cf3bcec31d16ad31dcc82b576038776c12d1f9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.434085781825637, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cbcdac23dd6005a837754a8d2c00809d2e72202b", "event_fingerprint": "f30b7c0969d6293c288d93648aa63b1ca6b359b2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "69b2af8496cfc7ed3b44a7a36f501409", "payload_hash": "cb2d000c7ab1c1f47f500e2b47d17d8b", "path_pattern_hash": "f336a19e3f1ce7e6163bdad57dfb6c61" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/backend\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/backend\/api\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a65c23059acdd4bdaeab9ec6f1cf56f4fa8bc8bc", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/api\/.env", "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.18\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/api\/.env", "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.18\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env", "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /v3/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v3/.env UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /v3/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 OPR/19.0.1326.56 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 OPR/19.0.1326.56 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "2310586453e4780ff4bfc7701e2bb7378fa83d3e", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "8c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.431899258543343, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "367eee3928584ef08339c963cb549e42dc3ac7a7", "event_fingerprint": "9d1529ac63cec476281d350de50b772e0f473277", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1b30f0e4870ea68f33ea9c57bd7015a2", "payload_hash": "c4b3fad2bccdb68c0640c779297fc70c", "path_pattern_hash": "b9266b5e3818db8e42f016e0af085277" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1326.56", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1326.56\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1326.56", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1326.56\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e60caa30051cfa3b81f3f239e4abb467b37c9eba", "protocol_details": { "http_method": "GET", "http_path": "\/v3\/.env", "request_line": "GET \/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v3\/.env", "request_line": "GET \/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1700.76 Safari\/537.36 OPR\/19.0.1\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.env", "evidence_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.dist	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.dist UA Mozilla/5.0 (Linux; Android 9; RMX1801) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dist TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.dist Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dist HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; RMX1801) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dist HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1801) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /.env.dist HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1801) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dist", "http_ua_hash": "cd081cf32c7af044352f8b2856a18f1824db007f", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "a8dbdb551defc236b9cece3e75d9b78bd8bedf29", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.414155092972903, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "af16ff1e5d736066edddd6e90064c209b110189c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "233ef1c039aaa5ebdc8ce5615d566cc2", "payload_hash": "eded8ea8cd4ad2c7bd8af7e03a3f27d5", "path_pattern_hash": "dca3f24e2bb7c842c1b47abf4a5e3131" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/.env.dist", "user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dist HTTP\/1.1", "request_sample": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/.env.dist", "user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dist HTTP\/1.1", "request_sample": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58256b237d79973b6e938db43096089db8883b61", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dist", "request_line": "GET \/.env.dist HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dist", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dist", "request_line": "GET \/.env.dist HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dist", "evidence_snippet": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /api/.env.production	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.production UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /api/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.132 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.132 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "e648ee7a50e503291171b473765b06511d1b1054", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.434317296593192, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "25854aca2f7bfcc2edf9de91870c2a2ba871027e", "event_fingerprint": "8c60242c1baf4afd88d70bfac59aacbacc5a35f4", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "272ba77b6d6d43d483ae8febac2f323c", "payload_hash": "0dc5913fdcf86a2834a69ac20efa617d", "path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.132", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.132", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea329b324199482b98b618f68bd9e22325480bc1", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.production", "request_line": "GET \/api\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.production", "request_line": "GET \/api\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production", "evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.production	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.production UA Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build Requête brute (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gzip C Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "production", "http_ua_hash": "d7c60473ca507d0f267a16bb2c90d1bcbbc70259", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "9b39fa6529cda07275007291b337879405a04c62", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 276, "payload_entropy": 5.406377179820521, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "012cc0dd75854481d4490ecc237f929d1931fcba", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1104c74dd435280ff2b2099a808bc6c8", "payload_hash": "9f34b4b93530484b17e6e1d08173bbc8", "path_pattern_hash": "a397c8c79032c8a19624fdccf1ae5680" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build", "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build", "evidence": { "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2869f00eb7bf049e4bcb26aa26383ee2b1834c1", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.production.bak	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.production.bak UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.production.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.production.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.production.bak HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/5 Requête brute (extrait) GET /.env.production.bak HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "b3a96afeae4b6ab9fcb5170be19f4a12892285f6", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "5e60aad91233f8359cb54318aa7e2c8c88640909", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.394356192775884, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "44c5c33c7a5a6f4f775277be07b6a00e45a1e51e", "event_fingerprint": "953d0fc74bbcf5820ff985df17c82af2823425f2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25f672c9d3583e5b7f4ad296c1f6db00", "payload_hash": "16a21f719265add17ad3c018bcc74c2c", "path_pattern_hash": "46a3381311009be4b70c0ebd235fdb59" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/5", "method": "GET", "path": "\/.env.production.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.production.bak HTTP\/1.1", "request_sample": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.env.production.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.production.bak HTTP\/1.1", "request_sample": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "132cd05370727251ba39cd482cc60514b0a22810", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.bak", "request_line": "GET \/.env.production.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/5", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.bak", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.bak", "request_line": "GET \/.env.production.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.bak", "evidence_snippet": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/5", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.stage	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.stage UA Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.stage TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.stage Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.stage HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.stage HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.env.stage HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "stage", "http_ua_hash": "5b7b2e4e70985e0107fe5bb257375bc0686bfd58", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "3b1f09925d833e9c8b11c15969735e676c352e02", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.382863788109896, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "4043f3e4ecb7d2494e3821a25301f18b840bcd16", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0661b118496333fb1ed77a64f08bf520", "payload_hash": "1ac8ba4ef2c465aad7ab558c0ad98ad5", "path_pattern_hash": "41bc8d05ec3b934057692a81f7d48c57" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/.env.stage", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.stage HTTP\/1.1", "request_sample": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/.env.stage", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.stage HTTP\/1.1", "request_sample": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "64d979e578eec6fe8dca44027955ed30b60264ec", "protocol_details": { "http_method": "GET", "http_path": "\/.env.stage", "request_line": "GET \/.env.stage HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.stage", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.stage", "request_line": "GET \/.env.stage HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.stage", "evidence_snippet": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /app/.env.dev	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.dev UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /app/.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2876.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2876.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "69d9df4b4a3fcfeffa1bdc3cd7ce3f22bc326c01", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "df5aa2d688155147d78025f13efee7d00a0eafd8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 235, "payload_entropy": 5.429710216291007, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cbcdac23dd6005a837754a8d2c00809d2e72202b", "event_fingerprint": "d81dfcb308765e6de68a3040a87174aaca28b5b0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "01ebbff1548357c921e7ded8ad6cdb18", "payload_hash": "adb69dc5e6ef967ef1fabfd0e107743d", "path_pattern_hash": "80cfd304d2c6517de5f460ebde85ca3d" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb5c618cef4dcc3c548515d6576a760aa51c33c0", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.dev", "request_line": "GET \/app\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.dev", "request_line": "GET \/app\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2876.0 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev", "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.production.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.production.local UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.production.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.production.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.production Ligne de requête `GET /.env.production.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.117 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.production.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /.env.production.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.117 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "3e08e426a4afb785c4acdabe797674ec95a9d603", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "d3f1365c6401e671ba4f40a870e3ce46645aab05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.412398343159451, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "4a1cd35e0c00c68514ac87d44dcf5600ce420820", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0194" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cd6c9dd5b503470c84fe5a6f284e2565", "payload_hash": "1d8afb93bc47113b57eceb9ba9b999bf", "path_pattern_hash": "a0a342b9319fca95b9114c90facec319" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/.env.production.local", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production.local HTTP\/1.1", "request_sample": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.117\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5491c91aa109d91a0b76d3c9264ef58720881296", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.local", "request_line": "GET \/.env.production.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.local", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production.local", "request_line": "GET \/.env.production.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production.local", "evidence_snippet": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env UA Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Émulateur HTTP WAF 15 Recommandation Investiguer Tags 950326:rce-0 950514:leak-1 http_backup_file_scan http_probe_env Cible HTTP GET /.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env HTTP/1.1` User-Agent Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Règles WAF rce-0 leak-1 Payload (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Accept-Charset: utf-8 Ac Requête brute (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "0259b0a6e9b661df49adf36e35aad2ba1cf30207", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 170, "payload_entropy": 5.202622606690506, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 68, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 68, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3cb7e007a9a47f9a75c386f26c1d4d0df48df787", "event_fingerprint": "a7c8be7ca27208700d96d2421b31a2afee992f40", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 68, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "23cef6c3f06394596e11a276d5422da4", "payload_hash": "b25634d3a416654e6116920ef7a10686", "path_pattern_hash": "aef81e7735de8f42b73e111497498c8b" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAc", "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "waf_tags": [ "950326:rce-0", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAc", "evidence": { "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "waf_tags": [ "950326:rce-0", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9a920493c5dd0a845a87d27d8b2ddc8928f3314f", "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAc", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 68, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env", "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAc", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 68 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950514:leak-1", "http_backup_file_scan", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.test	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.test UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.test TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.test Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.test HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "test", "http_ua_hash": "23f7e3d5921dcf4ac38a5d5c0c3224413c749e02", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "4e40a92f813d5ab41a0033a3846a1a977ff1de23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.404083139285902, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "30bb23b8aed847610b4456b4cfcecf4e8ef309e0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "11ec8df53c101ab988aff63fcdce1483", "payload_hash": "c12adb5f80b5c5b4b14c319f968dda56", "path_pattern_hash": "d0f775cf96d71b1d76da4d08e462f07a" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a293028474bd1185a8aeecfe72a60719b078cc27", "protocol_details": { "http_method": "GET", "http_path": "\/.env.test", "request_line": "GET \/.env.test HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.test", "request_line": "GET \/.env.test HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test", "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.local UA Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/1… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0193 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.local Ligne de requête `GET /.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Requête brute (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "0a540c4e158404bf13daf9dab34433773f42270d", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "1bd3d14a0dcd500ff7a77dd7b961ff8960851334", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.219697119515522, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "4931c93d660032d7cceda6e7acdeacc8a8cf1c9e", "event_fingerprint": "45eabb37146fc46f66ede622bb1468aef06dcbb0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0193" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.local" ], "pattern_ids": [ "pat-0191", "pat-0193" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "894d186111a59dd4bf59e8ded183ded7", "payload_hash": "412c1b8fefb64355e072523302b4418d", "path_pattern_hash": "b9c24fc1b97f40588adfd0796c248786" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r", "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "evidence": { "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aba89bc04aa7932947c83b7bed70980766cdc7c5", "protocol_details": { "http_method": "GET", "http_path": "\/.env.local", "request_line": "GET \/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0193" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.local", "request_line": "GET \/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local", "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env_local", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /api/.env.local	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.local UA Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firef… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /api/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firef Requête brute (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "1143b7eee789de0be3053ee97f620f5ea2d6b88c", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "edb025f9fa0e5ca4830590504e5c719dffe9f0d2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.304640842520517, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "25854aca2f7bfcc2edf9de91870c2a2ba871027e", "event_fingerprint": "0ad7b8b99b8a8c4a8b30405a6b7ed395db8fc6f1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "446f734b7d9bbe846e72ddae2586c2d8", "payload_hash": "092945a62b6f0eca2b89813a71d0a348", "path_pattern_hash": "593041543fc7e9468b6d0efddae98740" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firef", "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firef", "evidence": { "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ede674986098ae125c89c28064ded1622a0cd4f7", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.local", "request_line": "GET \/api\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firef", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.local", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.local", "request_line": "GET \/api\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.local", "evidence_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko\/20100907 Firef", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /src/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/.env UA Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (lik… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /src/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Geck Requête brute (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "71e3d45daa2756724838a848311afe0e186e7c49", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "0c533120cce5f9ceabf0223e76a6dc86fc19a74f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.337571639524551, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cbcdac23dd6005a837754a8d2c00809d2e72202b", "event_fingerprint": "efed6db0a0621fb21b74ba9de3c4b228302cb5eb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c966f3bf2ac8c1b13b2577a7118a5458", "payload_hash": "bd80f62719a9273c087adb1afbd4b146", "path_pattern_hash": "1be4509071ea53617b7e83d68c291bb4" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Geck", "method": "GET", "path": "\/src\/.env", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Geck", "evidence": { "method": "GET", "path": "\/src\/.env", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Geck", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab78482b2f1377809719ae745abecac92d1b292d", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Geck", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Geck", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.dev	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.dev UA Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CR… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) A Requête brute (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dev", "http_ua_hash": "da6c5ef166747fadd7336cc2a504329678ff0b2d", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "a499321530f3e4ddd283e6792cf6d67b1e7cfe88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.359807071635891, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c437e98a9e420ae10dd29f71b9778956015c2026", "event_fingerprint": "59bb29fd02d2f7badf6521fddf16ae03fb6bc5dc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "049c6f681c449a40900175c51eedbe5b", "payload_hash": "1d2814db64bd8ab3ca015f55478e7991", "path_pattern_hash": "ceb221ca10f5b573c09ea91320781e08" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) A", "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari 525.20.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari 525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) A", "evidence": { "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari 525.20.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari 525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) A", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d75f4faea4b639a391c0afb8b9e3946beb45846", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev", "request_line": "GET \/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) A", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev", "request_line": "GET \/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.\u2026", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev", "evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build\/CRB43) A", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 15:27:41 UTC	TCP	8600 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8600 · (tentative d'exploit) · → /.env.bak	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.bak UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8600 Chemin / cible /.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3833.99 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (K Requête brute (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3833.99 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "7a726b452a6a111eadce8ff3e5120a6cbeccd85f", "http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105", "http_target_hash": "4a5fcefd2e38e385c845c219c16c9499f238dece", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.405802887434578, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "ID", "dst_port": 8600, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0c43356570693800be94ef7152e0a2c42dda8da9", "event_fingerprint": "dbc4f46fa37fbf288f8fa13e125f8604c4a0e591", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "ID", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57934732dae991430e964e7e31769bd0", "payload_hash": "90fba7d445910cc44d6da790ee417a9e", "path_pattern_hash": "e884c8b66a9cc0dbcd8816b9898313a2" }, "target_context": { "dst_port": 8600, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "617dc08c9f6bd47cf32d5ed99f42933b6b607df4", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (K", "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.bak", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3833.99 Safari\/537.36", "port": 8600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8600 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.bak", "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit\/537.36 (K", "target_port_label": "8600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }

34.101.193.19

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence