Renseignement sur les menaces

Taïwan

35.194.255.180

FAI Google LLC Première vue 14/06/2026 19:53 UTC Dernière vue 14/06/2026 19:53 UTC Risque Critique

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 66/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 87/100 Critique

Première observation 14/06/2026 19:53 UTC

Dernière observation 14/06/2026 19:53 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 166 occurrences

Activité suspecte — risque 66/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.194.240.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

205.210.31.150 Sonde RDP 18/06/2026 04:32 UTC
162.216.150.168 Scanner web 18/06/2026 04:32 UTC
35.203.211.62 Scanner web 18/06/2026 04:31 UTC
162.216.149.186 Scanner web 18/06/2026 04:31 UTC
162.216.150.12 Scanner web 18/06/2026 04:28 UTC
162.216.150.64 Scanner web 18/06/2026 04:28 UTC
147.185.132.169 Scan vulnérabilités 18/06/2026 04:27 UTC
147.185.133.188 Scanner web 18/06/2026 04:26 UTC

Événements (filtres)

332

Première observation

14/06/2026 19:53 UTC

Dernière observation

14/06/2026 19:53 UTC

Dernière activité (filtres)

14/06/2026 19:53 UTC

Événements 7j

332

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 166 TLS TCP 166

HTTP

166

TLS

166

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8120 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8120 · (tentative d'exploit) · → /mail/sendgrid.env

Détails protocole

Méthode: GET
Chemin: /mail/sendgrid.env
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900H Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Ch…

Aperçu payload

GET /mail/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900H Build/MMB29K) Ap

Port / service

8120 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

332 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

332 événement(s) — page 2/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /public/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /public/.env UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /public/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /public/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/.env HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /public/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit Requête brute (extrait) GET /public/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a7ff7744090d424baabfb3cb5268f74eff0034b6", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "bc9ca66c038b10c68f8dffc886361c52fc1ac680", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.358388868611556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "6cefc22c2b81e80e8ebd75eb89fc909f738154ee", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f0e7c83acec18aa1884ecc3acc270579", "payload_hash": "9b85b0909dcedb9709d87181ff9379d7", "path_pattern_hash": "6cf746da949d58c839550a31197db646" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit", "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit", "evidence": { "method": "GET", "path": "\/public\/.env", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/public\/.env HTTP\/1.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b0af3ba81364c35d13557770f42929689e8669a", "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/1\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/public\/.env", "request_line": "GET \/public\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Mobile\/1\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.env", "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /private/.env.production	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /private/.env.production UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /private/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /private/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb Requête brute (extrait) GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "9720039d493fecbd052177bfc2cdfc59928c0baa", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "733a894b07d9b79b5b4ab7169336337873d659bc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.328980847924607, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "a2fdba3d318ef0a55260f8f3121397e367639d13", "event_fingerprint": "c4c82e491fff3e4082504004ed4255690ad16b4a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0f7466fadc126a571dd472a0cb02895a", "payload_hash": "27d677a352148f6d8a08e90b972065ce", "path_pattern_hash": "d172a4f1c2b0f77cc0bf21a5051067d5" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb", "method": "GET", "path": "\/private\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/private\/.env.production HTTP\/1.1", "request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb", "evidence": { "method": "GET", "path": "\/private\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/private\/.env.production HTTP\/1.1", "request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "532561615a8104fb607f5ac6b722d2fc145a5db3", "protocol_details": { "http_method": "GET", "http_path": "\/private\/.env.production", "request_line": "GET \/private\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/.env.production", "request_line": "GET \/private\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Safari\/605.1.15", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env.production", "evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWeb", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_private", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /html/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /html/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /html/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /html/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /html/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /html/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 ( Requête brute (extrait) GET /html/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "25a458d5f440a802ceaaddbdc4ffbf2c9cf23841", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "d88de32bc9acf1646f12af79ae4f4e612885da98", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.40311642455492, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "496ae4089e76468c2102fd2b17f634b188af7bea", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d61fe903ee399d55c519d56606637f20", "payload_hash": "b075090e6c0ef78cef272ae49a759d29", "path_pattern_hash": "b731774ad9ccb17484242cab8412851e" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (", "method": "GET", "path": "\/html\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/html\/.env HTTP\/1.1", "request_sample": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/html\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/html\/.env HTTP\/1.1", "request_sample": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4e4ca61e0badfadcd1652204459b225e194abcc", "protocol_details": { "http_method": "GET", "http_path": "\/html\/.env", "request_line": "GET \/html\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/html\/.env", "request_line": "GET \/html\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.env", "evidence_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /storage/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /storage/.env UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /storage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /storage/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /storage/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 EdgA/42.0.2.3819 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 EdgA/42.0.2.3819 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d0b32e6b556f817809a1967927b8d8d2e7678b0a", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "b8ca2ea5c794124cded93c100b20da74277adc4e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.43616071963642, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "4b5cbe274c8fd2a7d9c7c03faf450e72d409d3ac", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b23dbbd191472317e2f36acdeb2915f6", "payload_hash": "72ab95a68fd0206bd6b9680fe3bbd567", "path_pattern_hash": "450e48008d46f59e9e14143fd8de05b2" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/storage\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/storage\/.env HTTP\/1.1", "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/storage\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/storage\/.env HTTP\/1.1", "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36 EdgA\/42.0.2.3819\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa085130861e182c57e32011f3c0ab124bfbded9", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/.env", "request_line": "GET \/storage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.3\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/.env", "request_line": "GET \/storage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.3\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/.env", "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTM", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /web/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web/.env UA Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /web/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /web/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /web/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/533.2+ Kindle/3.0+ Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/53 Requête brute (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/533.2+ Kindle/3.0+ Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "5c9cdca11b6bd63efe5ce8ca727e8f5035d2c6cb", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "47bcdedb3b954688023f733564a003e944c34a32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.393453658724954, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "d065ed66f2dc9a6a675b5ae6db44c2c1eb172c35", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57047d9ca1d9780671795d8ba1919d37", "payload_hash": "d731a75db36cb3b845843ee118f91fb4", "path_pattern_hash": "d80a28198e7c3b2ce080248f274b9024" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/53", "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/web\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/web\/.env HTTP\/1.1", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1c706bba8fa1a1e49d75d04a0032a1a93f131a59", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web\/.env", "request_line": "GET \/web\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.env", "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/53", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /internal/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /internal/.env UA Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /internal/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /internal/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/.env HTTP/1.1` User-Agent Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9. Requête brute (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "35d3136c872f1aad3a3483c918696798e2b9bfec", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "bbff311646149e77bbf27c4899ac7dbcb7bb94dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 214, "payload_entropy": 5.196891304075161, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "c4bd90de172956e5e5d306b27e8bcb5dc0c6f191", "event_fingerprint": "48ebda0a3c34880ff9559e4fa2803bb2c9edc26a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4d7250607667b0ddf1ecee4e057260f2", "payload_hash": "b4f9864c2e8cb60f4c180cf64b6d803c", "path_pattern_hash": "929e3be7d81c0f83bf54b6e32e9b030d" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.", "method": "GET", "path": "\/internal\/.env", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env HTTP\/1.1", "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.", "evidence": { "method": "GET", "path": "\/internal\/.env", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env HTTP\/1.1", "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76648bad2825f50ac302b7393e3e4af05690d51b", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env", "request_line": "GET \/internal\/.env HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env", "request_line": "GET \/internal\/.env HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env", "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_internal", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /www/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /www/.env UA Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /www/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /www/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /www/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b) App Requête brute (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d82ab0faecaad77cf954d38ae9390fdfb5e7055d", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "f9a5f885118a1e31832caf4bc6622a0bd9e5d124", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.499743253211656, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "9fea0d0393f6e4bcc34c030386fa06d2ee4467aa", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "83345b8927d5b950b885688fcf1a7549", "payload_hash": "60b85f957084994e9f6876457096d7ce", "path_pattern_hash": "9f8be2cd3d14d4c05416633fe809702c" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) App", "method": "GET", "path": "\/www\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/www\/.env HTTP\/1.1", "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) App", "evidence": { "method": "GET", "path": "\/www\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/www\/.env HTTP\/1.1", "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) App", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8047f64f11ee36afbef993c0b768e4281a187542", "protocol_details": { "http_method": "GET", "http_path": "\/www\/.env", "request_line": "GET \/www\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.15\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) App", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/www\/.env", "request_line": "GET \/www\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.15\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.env", "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) App", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /services/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /services/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /services/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4c140d76f5532020661a384e019e17b76766653f", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "0438360fe7a9b359faf44a16aed4ce35cf36b045", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.42139441532239, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "7fa5dd0ab98712570c7687e0afa78b3f5e246165", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f23c5e1fbce7dcf7d4dce8437f5c0e55", "payload_hash": "2dd932fe916457daa99c52c2e1c6882a", "path_pattern_hash": "992024052ce1ab31c9bd1890c9e7f02b" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/services\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env HTTP\/1.1", "request_sample": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/services\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env HTTP\/1.1", "request_sample": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87bb1ed29b324b12f8f4f9811dc12c06fa8f7cc3", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env", "request_line": "GET \/services\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env", "request_line": "GET \/services\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env", "evidence_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /admin/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env UA Mozilla/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /admin/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /admin/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /admin/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "8486665fda73568386afefcf10cb6585c65a1f49", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "9bae73d08848be44521e9c4d49360c6e081f0fff", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.378425408913316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "7d93b0042baa9e14ac113e95f95f5e8943d92037", "event_fingerprint": "5a5dff18ae7e66b563660fb62b71532c991b960b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0253c09becda317c35b5c26238e8ea36", "payload_hash": "29a2abac7733242889837105d2252154", "path_pattern_hash": "36de7f489df887c3e31f5a951469f711" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/admin\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env HTTP\/1.1", "request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/admin\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env HTTP\/1.1", "request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d4763d80e7f2227c748d28f8a2bc1a124429baf", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env", "request_line": "GET \/admin\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env", "request_line": "GET \/admin\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env", "evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; MI 6) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /server/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /server/.env.production UA Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, like Gecko… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /server/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /server/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "c6fbf6bc9603de6b4a8dad9c930b25ec4e7064d5", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "c5a8bf9f86075206f2cab5a2cf1a94aed3e22719", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.411563018329946, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "dc17ccfb33e3aea0e6264939ef26a38380ee2f69", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2caa722207e8adb616457d05180151ce", "payload_hash": "32957d8becf9472ac82f37cc576d1fae", "path_pattern_hash": "a00e13282480bcd571abdd94022996e0" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/server\/.env.production", "user_agent": "Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.production HTTP\/1.1", "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/server\/.env.production", "user_agent": "Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.production HTTP\/1.1", "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b5ec060754e40c56fcdfefdd3657db03a8dd5df", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.production", "request_line": "GET \/server\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.production", "request_line": "GET \/server\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/27.0.1453.116 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.production", "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; NetBSD) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /config/.env.local	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /config/.env.local UA DoCoMo/2.0 SH901iC(c100;TB;W24H12) Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /config/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /config/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/.env.local HTTP/1.1` User-Agent DoCoMo/2.0 SH901iC(c100;TB;W24H12) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: DoCoMo/2.0 SH901iC(c100;TB;W24H12) Accept-Charset: utf-8 A Requête brute (extrait) GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: DoCoMo/2.0 SH901iC(c100;TB;W24H12) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "07bd06acffb0f13e2afd9b82c6c0846f995d6bb4", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "8315d690f50358ceea64bc0cb23314dd9bf855ed", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 171, "payload_entropy": 5.231813592746313, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "c97aedbca039d4e8ffbbac99816cf1037e10f767", "event_fingerprint": "8b3145df3dcaa76b54b861b1a040c06af52f05a6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "738e137eadfbfa8172a94e8d7c271831", "payload_hash": "8f3ada085597d31b4b6a81955def7bad", "path_pattern_hash": "826e0f7bf5d8c36c7953b7184edfe839" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nA", "method": "GET", "path": "\/config\/.env.local", "user_agent": "DoCoMo\/2.0 SH901iC(c100;TB;W24H12)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env.local HTTP\/1.1", "request_sample": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nA", "evidence": { "method": "GET", "path": "\/config\/.env.local", "user_agent": "DoCoMo\/2.0 SH901iC(c100;TB;W24H12)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env.local HTTP\/1.1", "request_sample": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nA", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a04e935cb2f5389f0fed02d109e4eaadc26dd534", "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env.local", "request_line": "GET \/config\/.env.local HTTP\/1.1", "http_user_agent": "DoCoMo\/2.0 SH901iC(c100;TB;W24H12)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nA", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env.local", "request_line": "GET \/config\/.env.local HTTP\/1.1", "http_user_agent": "DoCoMo\/2.0 SH901iC(c100;TB;W24H12)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env.local", "evidence_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: DoCoMo\/2.0 SH901iC(c100;TB;W24H12)\r\nAccept-Charset: utf-8\r\nA", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /uploads/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /uploads/.env UA FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http:… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /uploads/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /uploads/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /uploads/.env HTTP/1.1` User-Agent FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http:// Requête brute (extrait) GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "6c5338ef6609c81b9d07515012416cdd82596da0", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "ce47452b1fa5a36e3e2ab6ad357d27ce11d38e66", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 238, "payload_entropy": 5.12232103593963, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "31c44531df930e31474b2663c448d94d24b49059", "event_fingerprint": "c3dd5c1ba0034a39959ab7ee84341d0a564ef1a6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d8a2edcb1d75fb349632fe832cb28eb9", "payload_hash": "228d59de994b68984160d8c04ecea1da", "path_pattern_hash": "12e1063037a0428b03f9617844274d0a" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/", "method": "GET", "path": "\/uploads\/.env", "user_agent": "FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/uploads\/.env HTTP\/1.1", "request_sample": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/", "evidence": { "method": "GET", "path": "\/uploads\/.env", "user_agent": "FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/uploads\/.env HTTP\/1.1", "request_sample": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08dfba315d34380890eda1e7b4c47c62ff4a68db", "protocol_details": { "http_method": "GET", "http_path": "\/uploads\/.env", "request_line": "GET \/uploads\/.env HTTP\/1.1", "http_user_agent": "FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uploads\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/uploads\/.env", "request_line": "GET \/uploads\/.env HTTP\/1.1", "http_user_agent": "FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/www.alltheweb.com\/help\/webmaster\/crawler)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uploads\/.env", "evidence_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: FAST-WebCrawler\/3.8 (crawler at trd dot overture dot com; http:\/\/", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_uploads", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /internal/.env.production	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /internal/.env.production UA Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Triden… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /internal/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /internal/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/.env.production HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7 Requête brute (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "69c61a13c9113df1c0c9f28cd4f8816cde5dc0ee", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "d290e289983be8731f71ebf018001c11bad4ee88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.31910950469045, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "c4bd90de172956e5e5d306b27e8bcb5dc0c6f191", "event_fingerprint": "f451c0361fa967a1c53055dfe42711623be02a18", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a369847afc0da18b2663399de11233b2", "payload_hash": "8902bfbba234d6259f99f75e1f4a9396", "path_pattern_hash": "82c27c01e593b4c327a9fce0421e0d53" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7", "method": "GET", "path": "\/internal\/.env.production", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env.production HTTP\/1.1", "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7", "evidence": { "method": "GET", "path": "\/internal\/.env.production", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env.production HTTP\/1.1", "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a4474138d96ef46b9005996ab13199f6a9154f3", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env.production", "request_line": "GET \/internal\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env.production", "request_line": "GET \/internal\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident\/3.1; IEMobile\/7.0) Asus;Galaxy6", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production", "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows Phone OS 7", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_internal", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /conf/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /conf/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /conf/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /conf/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /conf/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /conf/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET /conf/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "c93a0d9de37db86bbb3bca1bfab1bf8ad027f349", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "70dc78a46c5fc5ec9a60262c10608bb7fd4c1db2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.436236828922638, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "68d4b4cde5f75ce95c5e3b7d5005919b202508ad", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3983f747cee3631077733ea0cf6bbe95", "payload_hash": "447b130a0e98803b8e2c3b6dfa8a223b", "path_pattern_hash": "f6629ed9025fbf6cf9edb98b9f1072f5" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "method": "GET", "path": "\/conf\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/conf\/.env HTTP\/1.1", "request_sample": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/conf\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/conf\/.env HTTP\/1.1", "request_sample": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68c9f1e2275490245290d7d84ea543851acfbab7", "protocol_details": { "http_method": "GET", "http_path": "\/conf\/.env", "request_line": "GET \/conf\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/conf\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/conf\/.env", "request_line": "GET \/conf\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/conf\/.env", "evidence_snippet": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /admin/.env.local	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env.local UA Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /admin/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /admin/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firef Requête brute (extrait) GET /admin/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "22d14318c36ee86b76782903da3d72468db7071c", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "5104f09772fa402efdc8eb0bc2114ecf6407730d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.300602040185175, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "7d93b0042baa9e14ac113e95f95f5e8943d92037", "event_fingerprint": "ba4c62fc7b7b749527dc744cbe2367f082ffb8e9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4abee9603dd1238a925018eba0435941", "payload_hash": "82df4effb8a930cc2d08687866c309c5", "path_pattern_hash": "8b44c48d7af23ff178b0954ed1a8265f" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef", "method": "GET", "path": "\/admin\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.local HTTP\/1.1", "request_sample": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef", "evidence": { "method": "GET", "path": "\/admin\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.local HTTP\/1.1", "request_sample": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f69042d6c1c2ea68ea31faebe34e17eec73e454d", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.local", "request_line": "GET \/admin\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.local", "request_line": "GET \/admin\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.local", "evidence_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /services/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/.env.local UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /services/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit Requête brute (extrait) GET /services/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "cbad830bdd4b822ffdddb6c2dac7856143406481", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "73e333bd92670fab956ca02375108c7191056a36", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.331669210040982, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "f385d38076d53da84adc6555195f001e340aa9a8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6563296a7f163a1c1c3d95555ed88fa7", "payload_hash": "e4b701b8fefa2fe2de2b7143c6724914", "path_pattern_hash": "8f696125de1c497ec1d3172258a9f00b" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit", "method": "GET", "path": "\/services\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.local HTTP\/1.1", "request_sample": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit", "evidence": { "method": "GET", "path": "\/services\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.local HTTP\/1.1", "request_sample": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6169a1f86fe0d23b662f024d2a450787a7a2fff9", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.local", "request_line": "GET \/services\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.local", "request_line": "GET \/services\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.local", "evidence_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /services/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/.env.production UA Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /services/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/ Requête brute (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "414163d4817183722f788fb9f3b2b12ba4abc740", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "7ad14949ad0b183b675db2d36d2d5b72ec09f204", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.420915913910764, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "fbcb93b315f6f65cd01e6d7506f6badbe0a5366b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b94debad114632e42aad99def17b56e9", "payload_hash": "7db46f39284d9685c4e3479c5a5162bf", "path_pattern_hash": "211e3ccc5c91dea183ab66efa73c6a45" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/", "method": "GET", "path": "\/services\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.production HTTP\/1.1", "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/services\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.production HTTP\/1.1", "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "82b6ec241065cfcb3425360f651445b569461960", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.production", "request_line": "GET \/services\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.production", "request_line": "GET \/services\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.production", "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950F) AppleWebKit\/", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /admin/.env.production	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env.production UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /admin/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /admin/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A Requête brute (extrait) GET /admin/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "1f3cf74a10338f9535e97db2940f2bf70a8a7923", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "6afcf6a74c4f4ca0deffd4538e4bee0be1658fdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.365386450574269, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "7d93b0042baa9e14ac113e95f95f5e8943d92037", "event_fingerprint": "a3703c12bec40c28316da6bbce29ca4c4c6838cc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7a478a1ff9db37af7f8c9a5724f8eb8e", "payload_hash": "0bbc1f7e9a7650e7a2ed2513212cf4f5", "path_pattern_hash": "2436e3a9cfeb9e9b135c78544dba7eee" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A", "method": "GET", "path": "\/admin\/.env.production", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.production HTTP\/1.1", "request_sample": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A", "evidence": { "method": "GET", "path": "\/admin\/.env.production", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.production HTTP\/1.1", "request_sample": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b370b65280cb6b15e437a9d106e1ee0967a1ff75", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.production", "request_line": "GET \/admin\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.production", "request_line": "GET \/admin\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.production", "evidence_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) A", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /wordpress/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wordpress/.env UA Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/2007113… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /wordpress/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /wordpress/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /wordpress/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/2007113 Requête brute (extrait) GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4dcccf7a6f0351d450cfaff027229bafa6396d84", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "b10966d4f4636bfb328d13cc5ad3eaa190ac10f4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.276139084274243, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "a81c8fa015d3c320544002a1ee67caf4a61e06c4", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1d7e2038df165e487a435ccb5d106e74", "payload_hash": "04a7275016909f10b68b2af637f8a53b", "path_pattern_hash": "887cb9244069f23f855e833cc59330df" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/2007113", "method": "GET", "path": "\/wordpress\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/wordpress\/.env HTTP\/1.1", "request_sample": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/2007113", "evidence": { "method": "GET", "path": "\/wordpress\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/wordpress\/.env HTTP\/1.1", "request_sample": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/2007113", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "765ceb212311831437abbf44ef686a697969cd2d", "protocol_details": { "http_method": "GET", "http_path": "\/wordpress\/.env", "request_line": "GET \/wordpress\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/2007113", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wordpress\/.env", "request_line": "GET \/wordpress\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/20071130 Minimo\/0.025", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.env", "evidence_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko\/2007113", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /config/.env.production	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /config/.env.production UA Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 Émulateur HTTP WAF 28 Recommandation Investiguer Tags 950318:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /config/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /config/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/.env.production HTTP/1.1` User-Agent Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 Règles WAF lfi-14 nosqli-3 leak-1 Payload (extrait) GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8. Requête brute (extrait) GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "44700d390ed03b3edb98b4cd0adfb53a6695960d", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "b18d8885bb1938ef9b65748771cc7ca2b2b01916", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 199, "payload_entropy": 5.265103516521284, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "3e34d4ff8b8020e56315281c899b305f32fdbe41", "event_fingerprint": "b1a5b0ed61e177a1448e4c13b13162a7b279a307", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3bf9b321eed1f554080acf4067a41273", "payload_hash": "4ac99f6266f520f8d7822c2ffb957899", "path_pattern_hash": "13dc0331670030f34544b2533e91efac" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.", "method": "GET", "path": "\/config\/.env.production", "user_agent": "Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12", "waf_tags": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env.production HTTP\/1.1", "request_sample": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.", "evidence": { "method": "GET", "path": "\/config\/.env.production", "user_agent": "Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12", "waf_tags": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/config\/.env.production HTTP\/1.1", "request_sample": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3ae1e39defdad71d792e2c07113ce65c1bef066", "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env.production", "request_line": "GET \/config\/.env.production HTTP\/1.1", "http_user_agent": "Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/.env.production", "request_line": "GET \/config\/.env.production HTTP\/1.1", "http_user_agent": "Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env.production", "evidence_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /server/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /server/.env.local UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /server/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /server/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /server/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /server/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "08b295a9e9e472a3654eac34be5fbf4084e76cca", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "3a4429a6d5f41cf5d304f80d456adb35465617d3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.428397675546528, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "bf9ed4a2e1da5503bdfdfa24ba3148eab866e518", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "545fd207ec6d32a4cabd38118dc8e083", "payload_hash": "c2279a512d25b4bb49e1356eaf7983b8", "path_pattern_hash": "9eb6847465270ab8b74f01d8fe541218" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/server\/.env.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.local HTTP\/1.1", "request_sample": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/server\/.env.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.local HTTP\/1.1", "request_sample": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b4ecfb10385ccd451f9ab52a96785739391623f", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.local", "request_line": "GET \/server\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.local", "request_line": "GET \/server\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.local", "evidence_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /backend/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env UA Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Requête brute (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ece89018f8e51dcdb25431bef4142f642a506f93", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.286427477373845, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "abf8ad0f96572cdc36c350283d473b5d0e637738", "event_fingerprint": "aaf28d05a1daf64e89a6ba7b853c406817fc8d3f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3ef775987e41dcc313d41d88786ef3b6", "payload_hash": "2abb2b6957468cb69bfa92ba49b61f72", "path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "evidence": { "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4bc69e8997c2b3fe2387e36851201f38f89e072", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /sendgrid.env	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.env UA Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "8ac8c5939d9e2ede857965537f9fb8e850aa4856", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "3719861ea949dc2f70a7ae8ced2a838a6837f706", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.4366038706668025, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f99fcfbe7856455659c619fae46848ac49b93872", "event_fingerprint": "27b070f1927114bd09d9f8d550cad478fcfa8cc9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0550ff632e5e528af3eb24a9aca8de12", "payload_hash": "7dbdc57c1f602a3e34a94fbbf693d1c2", "path_pattern_hash": "ca36907c59a1a3482046c81a2d773198" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.env HTTP\/1.1", "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.env HTTP\/1.1", "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8440201191f63043e6575edf5f3fd84a1ad06045", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.env", "request_line": "GET \/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.env", "request_line": "GET \/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.env", "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /sendgrid/.env	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env UA SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /sendgrid/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env HTTP/1.1` User-Agent SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Con Requête brute (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a06dfb56fd8eee3908167acec146c824de1b7447", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "32cb56247a35cc80b26561f128c72366c9be4e97", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 216, "payload_entropy": 5.234590337259658, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5985e03f4f20d3280e46b00ffa0bc132ca0296a3", "event_fingerprint": "802ff5f18d07c3463c398993cb3a3f8fa6b4acf1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7997a1694f903d4ecaeaa763609f0f8f", "payload_hash": "5851723429e857044c52da294ccac510", "path_pattern_hash": "777e785d116a3190d6333410abb382c9" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Con", "method": "GET", "path": "\/sendgrid\/.env", "user_agent": "SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Con", "evidence": { "method": "GET", "path": "\/sendgrid\/.env", "user_agent": "SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Con", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34559418cce5b863bead61c35d9a9c4c383de9a3", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env", "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Con", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env", "request_line": "GET \/sendgrid\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env", "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK610i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Con", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /sendgrid/.env.backup	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.backup UA Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-M… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /sendgrid/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sendgrid/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl Requête brute (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "7702a76b74d49f9caa4550b75db69f924d759257", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "7414e954936369312216016b538bc4f9a2118512", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.234890051963464, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "7c5858f9901e2d2015078b08c7ef3b7e62f907c7", "event_fingerprint": "50e0d303a66563664f715a45717f9c1f5068d26c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b62c9a022d4348c96091e201d3d75543", "payload_hash": "643f590e59b535c22e4145a761b94c61", "path_pattern_hash": "19193774c73c1aaa5564e645d1415a95" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl", "method": "GET", "path": "\/sendgrid\/.env.backup", "user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.backup", "user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "06bd01506f783ab285ba0d5cc799ca09072c1d1f", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.backup", "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.backup", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.backup", "request_line": "GET \/sendgrid\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.backup", "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googl", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/backend/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/backend/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/6 Requête brute (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "cbb870381dfb45f59fe4e0beaa90ca519a2a51fb", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "e525470447161ee4034567dbf14d4d4a54f52f46", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.339342068894343, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "27fa8198e591d25055357929a17dbdeecab964d6", "event_fingerprint": "3a3bc8bb9602a769b6cc62e301e385f0fd7bb7cc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b919665afb94aa0e0f1b3d1dfb1a1c5c", "payload_hash": "56b9f4489799e67295b6d891e90af6ec", "path_pattern_hash": "ad852d1414999713ac2638aba79c8ff5" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/6", "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/6", "evidence": { "method": "GET", "path": "\/api\/backend\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7de920788d338acafa61b5ca6ee38993aebc01d0", "protocol_details": { "http_method": "GET", "http_path": "\/api\/backend\/.env", "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/6", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/backend\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/backend\/.env", "request_line": "GET \/api\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/backend\/.env", "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/6", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /sendgrid/.env.prod	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.prod UA Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GING… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /sendgrid/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/ Requête brute (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "067ca69c9d1eead3ca4304ba0c2c1935b7f7a0f7", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "0d25707b0f08affaf044e5e5e4a9b372cf0e8d19", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.450792431424804, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "c1e3426a5d8fe4845620246b4674da18db126660", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "393b945565d5d8c19dbf31bb9fe96b94", "payload_hash": "9bcad73d8305e9a1c31955deb3e974d3", "path_pattern_hash": "7b6f2bf53da3271b0003640b70d40226" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/", "method": "GET", "path": "\/sendgrid\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Safari\/533.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Safari\/533.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3831e6747f7d55c76ceb8820918b8063c124777f", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.prod", "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.prod", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.prod", "request_line": "GET \/sendgrid\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.prod", "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build\/", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /sendgrid/.env.production	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.production UA libwww-perl/5.820 Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950468:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /sendgrid/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 58 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env.production HTTP/1.1` User-Agent libwww-perl/5.820 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: libwww-perl/5.820 Accept-Charset: utf-8 Accept-Enco Requête brute (extrait) GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: libwww-perl/5.820 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "856b1eac93dedf443ca3d70fbeb95608949e2030", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "15c901ce89f04ab49d92ce30544afd5e7fe875d5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 161, "payload_entropy": 5.080866395755963, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 0, "campaign_key": "6a567f0f6dd260873ac47f95709534baf2956163", "event_fingerprint": "83050e08e50d4f2020500109107f3d3956821c55", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05f7bb05bd4aac5c93ecca9e3ddde96e", "payload_hash": "483af9b8af1f1b37f2d986071a86d878", "path_pattern_hash": "372a0d709ccb756df0c1c71eb9496ec6" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Enco", "method": "GET", "path": "\/sendgrid\/.env.production", "user_agent": "libwww-perl\/5.820", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.production HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Enco", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.production", "user_agent": "libwww-perl\/5.820", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.production HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Enco", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee30ffc745d3854c10676bc3a35e79ca34d32766", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.production", "request_line": "GET \/sendgrid\/.env.production HTTP\/1.1", "http_user_agent": "libwww-perl\/5.820", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Enco", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.production", "request_line": "GET \/sendgrid\/.env.production HTTP\/1.1", "http_user_agent": "libwww-perl\/5.820", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.production", "evidence_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Enco", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "http_ua_suspicious", "net_flood" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /api/sendgrid.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /api/sendgrid.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950600:k8s-api Cible HTTP GET /api/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49 Règles WAF rce-0 nosqli-3 k8s-api Payload (extrait) GET /api/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/5 Requête brute (extrait) GET /api/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "7708b6f8d8992e141731637684c3dffbb36dfcd0", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "8149e0a81645028a99dab3a9f8706cae00eb175a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 277, "payload_entropy": 5.439081702600599, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8d2297b7c49c0e23816be6ac40e939eeb184d62a", "event_fingerprint": "01c6d439e7e9c3208ddc73bcd47f9cde7789a192", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e3dd4a6d858d02c3cd0a3f42532b28f", "payload_hash": "b9811117760002c7796a5fa89617c036", "path_pattern_hash": "bd5f833bf1b56cd8bb63ce4b1b4efaea" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/5", "method": "GET", "path": "\/api\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/api\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e20b11d11b807af71272b5380c95911729dab1f7", "protocol_details": { "http_method": "GET", "http_path": "\/api\/sendgrid.env", "request_line": "GET \/api\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/sendgrid.env", "request_line": "GET \/api\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/sendgrid.env", "evidence_snippet": "GET \/api\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/5", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950600:k8s-api", "http_probe_api", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /service/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /service/.env UA Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /service/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /service/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /service/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /service/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /service/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "2a2fdade35acf39614d43ae3cde1dc91ba5eba75", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "9afb54f0e738d3d8aa1fcfb80bab77080f7f6fdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.424575314287231, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "6cd3611d45adb59531f744ef9bac701df5a2fd26", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9b671d741cea56c040d9008731b6d30", "payload_hash": "cb52aca1fc1a68920229733d416da246", "path_pattern_hash": "d9b00f587478dec270837253c672f652" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/service\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/service\/.env HTTP\/1.1", "request_sample": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/service\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/service\/.env HTTP\/1.1", "request_sample": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac1bc4e19258926af99790cf7ad77b22f30453f4", "protocol_details": { "http_method": "GET", "http_path": "\/service\/.env", "request_line": "GET \/service\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/service\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/service\/.env", "request_line": "GET \/service\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/service\/.env", "evidence_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTM", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /.sendgrid.env	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.sendgrid.env UA Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) A… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /.sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit/535.1+ (KHTML like Gecko) Version/7.2.0.0 Safari/6533.18.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap Requête brute (extrait) GET /.sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit/535.1+ (KHTML like Gecko) Version/7.2.0.0 Safari/6533.18.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "a2f5be1d5ac6aa10c7fcbe2d1c77c5db6baaebac", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "8f07a946eac55a0d93410b891e5fe6efec058843", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.372634987039815, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f99fcfbe7856455659c619fae46848ac49b93872", "event_fingerprint": "3b089420238573870f15bb222fff9059d766426a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "52577325d8209d32a15419419ae7447e", "payload_hash": "aede40db6940d5cb70111c90c40f0018", "path_pattern_hash": "4d50e820d719289a3d1db022acb55ec6" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap", "method": "GET", "path": "\/.sendgrid.env", "user_agent": "Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Safari\/6533.18.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.sendgrid.env HTTP\/1.1", "request_sample": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap", "evidence": { "method": "GET", "path": "\/.sendgrid.env", "user_agent": "Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Safari\/6533.18.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.sendgrid.env HTTP\/1.1", "request_sample": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90f34303f97a3cc0f2ce29939b915488bc5ad571", "protocol_details": { "http_method": "GET", "http_path": "\/.sendgrid.env", "request_line": "GET \/.sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Saf\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.sendgrid.env", "request_line": "GET \/.sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit\/535.1+ (KHTML like Gecko) Version\/7.2.0.0 Saf\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.sendgrid.env", "evidence_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) Ap", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /sendgrid/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /sendgrid/.env.local UA Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /sendgrid/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /sendgrid/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /sendgrid/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 Requête brute (extrait) GET /sendgrid/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "a72cb44b77f705dfad42bf99e191154153cac1f4", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "767e9db7005d9cdf6cd3331a30730b9d5e7035c7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.391289486935188, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "a97837b07f70f0a0ffeb35feded9a541d0da3660", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63ccc5b3b08cee6d0ff7cd59b3427dcd", "payload_hash": "bd3904a387dcec43ab272c065795c006", "path_pattern_hash": "8797b46839a2325b1bc3ba5ac4c03fde" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 ", "method": "GET", "path": "\/sendgrid\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.local HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/sendgrid\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/sendgrid\/.env.local HTTP\/1.1", "request_sample": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "11bd1b19708f83b07e7af9ce76f56e10bb9c0496", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.local", "request_line": "GET \/sendgrid\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid\/.env.local", "request_line": "GET \/sendgrid\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid\/.env.local", "evidence_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /services/auth/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/auth/.env UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/auth/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /services/auth/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/auth/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "87ebac2b3cc7ed6ba4ee408a82877492dcfa5d2e", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "09b20d19aa313f464eacd68829b3fab12fccb496", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.420981009975991, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "9cb5c5d21676ba578a85a2e579748af50a2c350e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b05785e0cf1ecbcc64b771618a4d8e5e", "payload_hash": "b65f74cf80c7bef1a459d93a155fd7d0", "path_pattern_hash": "465b6d455db6ce12c0bb2d49f4cfba7e" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/services\/auth\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "request_sample": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "50c19e4535d3e73020d6f80c7e85d6b6908af6ce", "protocol_details": { "http_method": "GET", "http_path": "\/services\/auth\/.env", "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/auth\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/auth\/.env", "request_line": "GET \/services\/auth\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/auth\/.env", "evidence_snippet": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHT", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /dashboard/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /dashboard/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dashboard/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /dashboard/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dashboard/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "1f920ae0095efc9859bfd9a1389770e0b824fad1", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "a0df23adcbc250d22f3ea9c43cd45132cd7d119e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.425041555703449, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "c872d9b7c45cfa0ce7367358b73b4bfb1c929f21", "event_fingerprint": "0d918936f3ae5c6b9599f764018e54dfac2555ba", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3c801a3fcd8b02495806d8ab846c2e4", "payload_hash": "af802f3340a169603fe6c9cf1fd5e6e2", "path_pattern_hash": "90b830636acb1be7da7ed46e94f3bb1d" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/dashboard\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/dashboard\/.env HTTP\/1.1", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25c83ff19b73b6ce391c202067e9f650418e7fe2", "protocol_details": { "http_method": "GET", "http_path": "\/dashboard\/.env", "request_line": "GET \/dashboard\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dashboard\/.env", "request_line": "GET \/dashboard\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.env", "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_traefik", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /apps/frontend/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /apps/frontend/.env UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /apps/frontend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/frontend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "8343728e09cc5534aa355662af176824290e16ba", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "ba0ce57a366071a1ca1afd15a1a01a04ccdd2335", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.423119381969957, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "18cf4c69d9f7ca1f3d5ffbd9c141ba681986a93d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d5b435b8abdaa4272f37db8d3f41393b", "payload_hash": "c3a2a57f9aa12d6a69fc097e12480608", "path_pattern_hash": "a541762358ad3d2463e9e9180528a6a3" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/apps\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25f150ae5984210021fd651cb195ea6289df9c20", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/frontend\/.env", "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/frontend\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/frontend\/.env", "request_line": "GET \/apps\/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/frontend\/.env", "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /apps/api/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /apps/api/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /apps/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /apps/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like G Requête brute (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "69e3fc7986ce7715c4601708163ad03100cf2c06", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "e63b41d5687406ee7f40926b7271357b1c46aaae", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.423845777665919, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "a3c79ccb8575d0bc092c6964218a04ba226abae2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "166e35c35e2dc61eb4accbfa1c157555", "payload_hash": "0dfa7f26219aeedf07508540563fa03e", "path_pattern_hash": "ab70800db05dbfe0190629bc711f2fa2" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like G", "method": "GET", "path": "\/apps\/api\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like G", "evidence": { "method": "GET", "path": "\/apps\/api\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b045778afefc37c1703df6793a2a297e6ae5cae3", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/api\/.env", "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like G", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/api\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/apps\/api\/.env", "request_line": "GET \/apps\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like Gecko) Chrome\/19.0.1084.9 Safari\/536.5", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/apps\/api\/.env", "evidence_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/536.5 (KHTML, like G", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /portal/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /portal/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /portal/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /portal/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /portal/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 Requête brute (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9f7223657a85ea31378cbb521a1b79583c992e80", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "25e9d50bacd292841afcec6b93bcba6a1f6790d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.380430423209581, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "e17545822b8a02b0b2f1ff6c4c8947320eb92dde", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "00beee261c4d9153220cd766ec54f74c", "payload_hash": "cd147e8f4188285cc43d4d5c90793e3a", "path_pattern_hash": "8432e822d78216a6822b5a443dbf894c" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36", "method": "GET", "path": "\/portal\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/portal\/.env HTTP\/1.1", "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/portal\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/portal\/.env HTTP\/1.1", "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ae07463d2ab2b45716e3b88dbec0c748560aca9", "protocol_details": { "http_method": "GET", "http_path": "\/portal\/.env", "request_line": "GET \/portal\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/portal\/.env", "request_line": "GET \/portal\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env", "evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /backend/sendgrid.env	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.env UA Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebK… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /backend/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App Requête brute (extrait) GET /backend/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e116a5f0471f66233ebe8bcaac599cb9c15d8bb4", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "6ca5cdbc93351479900cbb16227fdccd897d6239", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.413995676842438, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4102efa17f9b81b47edcdd7fcb5063eea3952131", "event_fingerprint": "170cef5a0998c78a9fd273f152c84578aa51d675", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5b553ce2b016177dd8f54256bc475c8a", "payload_hash": "b16cc46a03f1f3b3e7b3b897115e0d3d", "path_pattern_hash": "7e30bd8e2fce0a25f9e4a2967db75cb4" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App", "method": "GET", "path": "\/backend\/sendgrid.env", "user_agent": "Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.2+", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.2+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.env", "user_agent": "Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.2+", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.2+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f411517dee79a10c586ffbf40ae26b4cc3afe25", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.env", "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.env", "request_line": "GET \/backend\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit\/536.2+ (KHTML like Gecko) Version\/7.2.1.0 Safari\/536.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.env", "evidence_snippet": "GET \/backend\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) App", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /config/sendgrid.env	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /config/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi Requête brute (extrait) GET /config/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "253c12df1babaf1bff9703bc7471248483418435", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "442d1e47f2d87d2eb61cbc03306278922032dd94", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.387810798973133, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7a8b2ca4eeeb1cfd6200b757a8fda0bbc2035bbd", "event_fingerprint": "c3e7b222ebe1bf9ca677b53af62465a2d0f8e159", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2c1f5fb8c6362a8c8c23a263fd6cf35f", "payload_hash": "0a7b49118b9bb9cfa69f74c8454de982", "path_pattern_hash": "063c352cd871139979301d261825ea56" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "method": "GET", "path": "\/config\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/config\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0886d27298b08c03bf7d59e22434ba62e5f8e03b", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.env", "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.env", "request_line": "GET \/config\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.env", "evidence_snippet": "GET \/config\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /services/backend/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/backend/.env UA Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKit/537.36 (KHTML… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /services/backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKit/537.36 Requête brute (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "6a8e11ebc3f21979c23150320126ad84d6f86404", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "bff52174bd71304ed2bfcd7637238e2def0caff3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.413921999314471, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "a104681451cf843e2984928acd25a9e20d3d9003", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "66d5b9b5f0c52c929d58691d1cf711a2", "payload_hash": "2535adba2147b8f9eea402004b247546", "path_pattern_hash": "5b9b007f982aa0909ed1fcbe7f087982" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36", "method": "GET", "path": "\/services\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/services\/backend\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31d952d52705f95dce3846a0b8787d1b27f00a4d", "protocol_details": { "http_method": "GET", "http_path": "\/services\/backend\/.env", "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/backend\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/backend\/.env", "request_line": "GET \/services\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/backend\/.env", "evidence_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; G8141) AppleWebKit\/537.36", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:43 UTC	TCP	8120 · HTTP	http	Flood / DDoS http flood · via HTTP:8120 · (tentative d'exploit) · → /src/sendgrid.env	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.env UA Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /src/sendgrid.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) lik Requête brute (extrait) GET /src/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "219460d9be7caff720d11a53a01f58926d706c0c", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "65ab1a4a4b69eaa754edacfbad2ed06d355ae77f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.248434093664577, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4102efa17f9b81b47edcdd7fcb5063eea3952131", "event_fingerprint": "2c73ad3e0627b656087813ae0acc53b89e07c654", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05729748fe935aaba633a4b0383ed0e0", "payload_hash": "07c0466f22b99bc2de78073f2e3923ee", "path_pattern_hash": "37297d51019b5c4aaeb2b2f7ef330082" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) lik", "method": "GET", "path": "\/src\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) lik", "evidence": { "method": "GET", "path": "\/src\/sendgrid.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.env HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fc5fb609a1cb2c04b15c156e189a42b4c46de70", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.env", "request_line": "GET \/src\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) lik", "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.env", "request_line": "GET \/src\/sendgrid.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.env", "evidence_snippet": "GET \/src\/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) lik", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/v3/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/v3/.env UA Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/v3/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v3/ Ligne de requête `GET /api/v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "313d04a6271d72d8bdffdf729f500205ab4255ef", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.434159396630383, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 11, "anomaly_count": 0, "campaign_key": "d9a37ec025fcc9ca175f7fa6a94cb2e2323b7eb9", "event_fingerprint": "88a048d073b15ae02cda8d9c14ca3108c8b4b4e7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0214" ], "matched_pattern_names": [ "Probe \/api\/v3\/" ], "pattern_ids": [ "pat-0214" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a8d77e7f4c0c03c9696794aa1e4b22a3", "payload_hash": "4630610404b2fef019cb78a64faea1c7", "path_pattern_hash": "04909e92bace7d0131f14c363849c629" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3cfc36e64376c8ddb58d7101094df5f211f4310", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /backend/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.production UA Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /backend/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "a9475b154a06c5dd74981a5f86c430afe4ac9a57", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "f5bb9f02b8945472030d827baea0ca721346631c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.426219909265818, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "dbac2485c035258c68c04b5b73a39d063f37ddef", "event_fingerprint": "ffdd4f9c24e180cb586d85a5d7f946ffe7fb63bc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "99cdf2ed738296e6d65f5b9900ae186b", "payload_hash": "df11a4ffb0f78686c0cb57e17c49c3e9", "path_pattern_hash": "36d1a8d01ff9d9e501d856bd9686d325" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71b5441b79b31195cc04e4e10b9b591666e10282", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.production", "request_line": "GET \/backend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/5", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.production", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.production", "request_line": "GET \/backend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.production", "evidence_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit\/5", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/v1/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/v1/.env UA SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.… Émulateur HTTP WAF 32 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/v1/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v1/ Ligne de requête `GET /api/v1/.env HTTP/1.1` User-Agent SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF lfi-14 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v1/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 C Requête brute (extrait) GET /api/v1/.env HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "ed65ea7e031345677e4b0009f8b6d23d388f7f4b", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "510d89ba7f87ce49d7697f92088f4049153aa93e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.284349754163846, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 11, "anomaly_count": 0, "campaign_key": "80dba906d8b5b7c602f9c4acedbffcb0b33105a8", "event_fingerprint": "eaf856463595b27ab62e348a5db0c508683dfb9c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0212" ], "matched_pattern_names": [ "Probe \/api\/v1\/" ], "pattern_ids": [ "pat-0212" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a367fce77caed567cbc03abc059f840a", "payload_hash": "1ee57c7b9fa328b0cd58ea6ab9915ead", "path_pattern_hash": "5df89d300eb37d420581ac8576ea9498" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 C", "method": "GET", "path": "\/api\/v1\/.env", "user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "request_sample": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 C", "evidence": { "method": "GET", "path": "\/api\/v1\/.env", "user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "request_sample": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 C", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6f75365c58ba9939c60def540bc1844e520b6c3", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v1\/.env", "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 C", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v1\/.env", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v1\/.env", "request_line": "GET \/api\/v1\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v1\/.env", "evidence_snippet": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: SonyEricssonK750i\/R1CA Browser\/SEMC-Browser\/4.2 Profile\/MIDP-2.0 C", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_k8s_probe", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/.env.prod	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.prod UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleW… Émulateur HTTP WAF 38 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Règles WAF sqli-21 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe Requête brute (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Accept-Charset: utf Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "4bb4290188685f5033767113f92b3972ed7795d9", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 304, "payload_entropy": 5.4580091405903515, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "d6eecc5c86814fe129c5963ff4d1ae1799d491b6", "event_fingerprint": "7a4e8f388557d1b481089bd75f832f224a28f420", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32be96c38f74d9e299607618d54e6b44", "payload_hash": "7a576c1c727cd86dda47f719c98886f0", "path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe", "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe", "evidence": { "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d98689afc04918932d1c1d76c5ccb9b80dee2450", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.prod", "request_line": "GET \/api\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.prod", "request_line": "GET \/api\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod", "evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWe", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/.env.bak	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.bak UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "ded58c43474502fea0879fb1f19663b727ebf75e", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.445065450577566, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 11, "anomaly_count": 0, "campaign_key": "dc2b8322cccb098b144c253022ccd0fb5084e829", "event_fingerprint": "fcd80456e743bd0b10e4f0a95c6fcfc0deb186b0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e9771db05c86d90932fabcc9ecbac183", "payload_hash": "c5f68e1ba58ac710b4220a73b3d6bb16", "path_pattern_hash": "704472054da186f49a4245e261c91fda" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e87174c111f10fba1e9de6d44b6ce92d7c05f19b", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.bak", "request_line": "GET \/api\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.bak", "request_line": "GET \/api\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak", "evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Scan de ports port scan syn · via HTTP:8120 · (reconnaissance) · → /env.bak	Élevée	Moyen · 60
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /env.bak UA Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF9… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_file_scan Cible HTTP GET /env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Moyen · 60 Confiance : Confiance 52 % — 3 tag(s) WAF Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) Appl Requête brute (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "e3bd5c8b6d29787da4174ea7bd4b0a7b338120fb", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.421084211770878, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 7, "anomaly_count": 0, "campaign_key": "b4afb769a814560fbefced6b0e56f731d5eb95a6", "event_fingerprint": "c07aae37b059f5b3701871a97cd27f253c6d8648", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "39ca9418f7f4a4c93ba96ea3ac462e90", "payload_hash": "3e081ee3eb202b3458ba61b6c1405925", "path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) Appl", "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) Appl", "evidence": { "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) Appl", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31e4715dadba66a0002424fb9d832e5527d05a8d", "protocol_details": { "http_method": "GET", "http_path": "\/env.bak", "request_line": "GET \/env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mob\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) Appl", "attack_vector": "port scan syn \u00b7 via HTTP:8120 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.bak", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env.bak", "request_line": "GET \/env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mob\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8120 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.bak", "evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) Appl", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/.env.backup	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.backup UA Googlebot-Video/1.0 Émulateur HTTP WAF 18 Recommandation Investiguer Tags 950468:nosqli-3 950514:leak-1 950600:k8s-api http_backup_file_scan Cible HTTP GET /api/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.backup HTTP/1.1` User-Agent Googlebot-Video/1.0 Règles WAF nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: g Requête brute (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "3580c3e0bbd27c88a84060337cc1c6ff2496b3f9", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "9dab8234c39ccb9ea2d77d85642de0c301ab4efb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 154, "payload_entropy": 5.0841945785369465, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 80, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 80, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "99a769b8c525bf3b4aed7af6e42c7c4974f9d1c9", "event_fingerprint": "59a97eec09fda6361e05201eae6a7b73eb0b1de6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 80, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "264516773b1a82d816f3a0ab5476d704", "payload_hash": "fd332387513dab00f716deb475e5fff8", "path_pattern_hash": "49a3b01836cfe2c6affa28c94f1fce0a" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Googlebot-Video\/1.0", "waf_tags": [ "950468:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "evidence": { "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Googlebot-Video\/1.0", "waf_tags": [ "950468:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5699e1779375354a6b96899f847cdf0091bfe6d5", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.backup", "request_line": "GET \/api\/.env.backup HTTP\/1.1", "http_user_agent": "Googlebot-Video\/1.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.backup", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 80, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.backup", "request_line": "GET \/api\/.env.backup HTTP\/1.1", "http_user_agent": "Googlebot-Video\/1.0", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.backup", "evidence_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 80 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/.env.old	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.old UA Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/535.1 (KHTML, li… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.94 Safari/535.1 Règles WAF rce-0 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/535.1 (KHTML, like Requête brute (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.94 Safari/535.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "2deed173bb925d20f21a83da5f9cf73a649295f0", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "1eaaed3d5813b8a0c46124d29705f048ce880ab8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.426287538803021, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 11, "anomaly_count": 0, "campaign_key": "dc2b8322cccb098b144c253022ccd0fb5084e829", "event_fingerprint": "cf2b12d384c9cefe85204f1d6e832881276f5aac", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25284458924ee287b259c1d34e26087f", "payload_hash": "475d59fb192b2b41396a604f365c1f01", "path_pattern_hash": "f24df3f6a48f5ead7ac9d4853493d4fa" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like", "method": "GET", "path": "\/api\/.env.old", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like", "evidence": { "method": "GET", "path": "\/api\/.env.old", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b867ec9cbd9668e0391da7377083bed8e55e2190", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.old", "request_line": "GET \/api\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.old", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.old", "request_line": "GET \/api\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.old", "evidence_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 19:53:42 UTC	TCP	8120 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8120 · (tentative d'exploit) · → /api/.env.local	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.local UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8120 Chemin / cible /api/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb Requête brute (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A5362a Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "1f3cf74a10338f9535e97db2940f2bf70a8a7923", "http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af", "http_target_hash": "edb025f9fa0e5ca4830590504e5c719dffe9f0d2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.337732066770295, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8120, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "27fa8198e591d25055357929a17dbdeecab964d6", "event_fingerprint": "1f5886d8008e14e5ade919008e5cd5af4a366432", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7a478a1ff9db37af7f8c9a5724f8eb8e", "payload_hash": "3e9c5b7046c2a80d35831f208be55a0f", "path_pattern_hash": "593041543fc7e9468b6d0efddae98740" }, "target_context": { "dst_port": 8120, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb", "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb", "evidence": { "method": "GET", "path": "\/api\/.env.local", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.local HTTP\/1.1", "request_sample": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2c8fb6f7c4a75c5e21ae243e1d9dbd22b1b6ace", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.local", "request_line": "GET \/api\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.local", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8120, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.local", "request_line": "GET \/api\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A\u2026", "port": 8120, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8120 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.local", "evidence_snippet": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWeb", "target_port_label": "8120 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8120" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

35.194.255.180

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence