Renseignement sur les menaces

Taïwan

35.201.190.156

FAI Google LLC Première vue 14/06/2026 15:56 UTC Dernière vue 14/06/2026 15:56 UTC Risque Critique

Période analysée : 2026-05-19 → 2026-06-18

Activité suspecte — risque 65/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 91/100 Critique

Première observation 14/06/2026 15:56 UTC

Dernière observation 14/06/2026 15:56 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 167 occurrences

Activité suspecte — risque 65/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.201.176.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

162.216.149.142 Sonde PostgreSQL 18/06/2026 22:07 UTC
147.185.133.167 Scanner web 18/06/2026 22:06 UTC
35.203.210.21 Scanner web 18/06/2026 22:05 UTC
162.216.149.47 Scanner web 18/06/2026 22:04 UTC
198.235.24.222 Sonde port 18/06/2026 22:04 UTC
162.216.150.92 Scanner web 18/06/2026 22:03 UTC
162.216.150.232 Scanner web 18/06/2026 22:03 UTC
198.235.24.129 Sonde PostgreSQL 18/06/2026 22:03 UTC

Événements (filtres)

332

Première observation

14/06/2026 15:56 UTC

Dernière observation

14/06/2026 15:56 UTC

Dernière activité (filtres)

14/06/2026 15:56 UTC

Événements 7j

332

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 166 WEBLOGIC SSL TCP 166

HTTP

166

WEBLOGIC SSL

166

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 7002 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:7002 · (tentative d'exploit) · → /mailer/sendgrid.env

Détails protocole

Méthode: GET
Chemin: /mailer/sendgrid.env
User-Agent: UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile

Aperçu payload

GET /mailer/sendgrid.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/

Port / service

7002 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

332 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

332 événement(s) — page 3/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /stage/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /stage/.env UA Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /stage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /stage/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /stage/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Fir Requête brute (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "9413061305ae25c7dc96396993c34e4c6bf44378", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "737ca670329de18dc663a9b1a810e4d99c607cf0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.350706650905774, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "6497351cb31fe1b5d508c9bf81a05a0cef7717ec", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd916d04a43ff1455f620cc89c18c92b", "payload_hash": "132f3e3d89fb5e5e3197dd6933b46452", "path_pattern_hash": "25b2f069e3141e0796938ca9e4e845aa" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fir", "method": "GET", "path": "\/stage\/.env", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/stage\/.env HTTP\/1.1", "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fir", "evidence": { "method": "GET", "path": "\/stage\/.env", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/stage\/.env HTTP\/1.1", "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fir", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ddede6d255f8bccb1babcef30e4c124b5831a035", "protocol_details": { "http_method": "GET", "http_path": "\/stage\/.env", "request_line": "GET \/stage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fir", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/stage\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/stage\/.env", "request_line": "GET \/stage\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/stage\/.env", "evidence_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fir", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.dev	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.dev UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.3 Requête brute (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "98f38537a8dfc3b008138091f5ff357e27b3d266", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "df5aa2d688155147d78025f13efee7d00a0eafd8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.402453249434667, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "cf918ad80c3b9c97b0df044fb3fb9f0b65c85623", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c4790fcb2dd6f6fa002f21f00668390b", "payload_hash": "fcc00939e1b7e15c85ab201c044a56ba", "path_pattern_hash": "80cfd304d2c6517de5f460ebde85ca3d" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.3", "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/app\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.dev HTTP\/1.1", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "494e4eafbfdc83e02b07a28360aaa945f3e017c4", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.dev", "request_line": "GET \/app\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.dev", "request_line": "GET \/app\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev", "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.3", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.bak	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.bak UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "e2b242c30985c372980cd20d8433a9fe0e06797d", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "634ed927b1f303dd63cc0a7dc5f7e8b5a6847ee7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.440684400056793, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "9b8acbad2d024bd3b2cf2d919f1c3c269cfdb16e", "event_fingerprint": "1ced7119d7b7daa2af69234400f6ac3a84462f10", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9a3090eaeb327bba8b23d69e1e53a350", "payload_hash": "b818ac6dc5e8319a5ce21c6ad8f13cac", "path_pattern_hash": "6679bce94c041ed02cf99c5001176812" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/backend\/.env.bak", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/backend\/.env.bak", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "333c9e4c6be4e5dc9324faeaaad5e061a9a52ce8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.bak", "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.bak", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.bak", "request_line": "GET \/backend\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.bak", "evidence_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env UA Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/2010010… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Requête brute (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e7b77faf9603a50a47b0ba63b308b2407035ecb8", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.294846708642539, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "62bf3a11a1f261d74fd2c4fa7917a02149e7ac1b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "60b84cdfe5dd239f665728e240542301", "payload_hash": "431d09afc146c3910d863446dfc3b85e", "path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 ", "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101", "evidence": { "method": "GET", "path": "\/backend\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env HTTP\/1.1", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b20b7ecaaef172cc867bee89a562475efecab849", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env", "request_line": "GET \/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env", "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/api/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/api/.env UA Mozilla/5.0 (Linux; Android 9; HMA-L29) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; HMA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; HMA-L29) AppleWebKit/537.36 (K Requête brute (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; HMA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "534ce3d37d92c51a891b5e14e31709fe23e69e9b", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "7cf3bcec31d16ad31dcc82b576038776c12d1f9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.4093275611169505, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "7a9ae581b804f9fdab36f9bafae21f04e0100efe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "79ca9ef7a67c04726f6247619bf4dc4d", "payload_hash": "386dc1f9be23e60f35696471df60b3c8", "path_pattern_hash": "f336a19e3f1ce7e6163bdad57dfb6c61" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/backend\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/backend\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1da58b5948e7b32236dedb674e1dbfffa452e416", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/api\/.env", "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (K", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/api\/.env", "request_line": "GET \/backend\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env", "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; HMA-L29) AppleWebKit\/537.36 (K", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.prod	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.prod UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "86aa0f47a7f2556a891729ba910f5cf055fa44a8", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "ece1b00dd116de2d5cd1e616b647fb67b7d3b035", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.416028874365335, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "75e5cec61fb474bf5063cd642374002137122962", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "33af80933ae980783be0a1637c8232d0", "payload_hash": "92e1710ea344a3d6fd531e16a9e0fb1e", "path_pattern_hash": "06b37c283e0032a53442bbe10821cfeb" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33579bf6bb6897a137e3cf2999e02d8628205b82", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.prod", "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.prod", "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.107 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod", "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.dev	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.dev UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "32327fff8b51993e2a11eaa1f03a55f19f9a3e6a", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "6d43a22facf5bd0b2b7f81b2645be87ea2a8a4a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.439032762987034, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "2e6ac878ca611fffe2dde3ba2137d03f92a442a5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "374e594fff7d90fcc3f4c27b624d5da4", "payload_hash": "dfc78b14e7e8af24477a76b43293c4b6", "path_pattern_hash": "361efd67c8cb82623bb332a9d4f55268" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/backend\/.env.dev", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.dev HTTP\/1.1", "request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/backend\/.env.dev", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.dev HTTP\/1.1", "request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "464eca8a7631198311f4ea8cd579593911ab4bf1", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.dev", "request_line": "GET \/backend\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.dev", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.dev", "request_line": "GET \/backend\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.dev", "evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.staging	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.staging UA Mozilla/5.0 (Linux; Android 9; MI 8) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 8) AppleWebKit/537.36 ( Requête brute (extrait) GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "e1888a627a55716bf3d1480abe129726b3f09123", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "60ad021131c60c7ef0d3077bb512c229f5e99a01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.407776619266675, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "ffc46ba7271bf5f5d1ce8358098cba2c2ce10404", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "020b21438662103e7ecad62fe1956b37", "payload_hash": "c1e01b3aeb60572d5951d4869e4405fe", "path_pattern_hash": "71e8425052a8e855284ce6c37676ea95" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (", "method": "GET", "path": "\/backend\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.staging HTTP\/1.1", "request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/backend\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.staging HTTP\/1.1", "request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae95de55dd66b43792876e90b5dacf9af4f1d346", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.staging", "request_line": "GET \/backend\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.staging", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.staging", "request_line": "GET \/backend\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.staging", "evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.local UA Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Ge… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23 Requête brute (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "034f93298ffe726b517500164b7563a0f924afb4", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "7a997ecf8c7c3ade11101024aba12e58dee560af", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.296539417770763, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "a5a5ecf28badc0bf0b875a73da099423519e7df6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0af7d4423f9e8b9d9ba2cecedd246e7e", "payload_hash": "306a54df45c61481a4fb7510b10685a7", "path_pattern_hash": "6e2a711f7323df4e4b7b37b3c8fb7ec7" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23", "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23", "evidence": { "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "706bfe5fdf9aecab4421d616d8ee64671bda6191", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.local", "request_line": "GET \/backend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.local", "request_line": "GET \/backend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko\/20090825 SeaMonkey\/1.1.18", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local", "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.staging	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.staging UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "73edb8ff973d8351887c5542b00d315359c1733f", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.408245467873704, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "3990203060018161f5c6462180a3684f9e70d052", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "08c8f275680a86d282b86034497f56b8", "payload_hash": "70b3941495b3948d90d91b8668e516c0", "path_pattern_hash": "5a281530de78ccf813317373171371c8" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ae4e456faecb3ebb14a6a6959e3064f36a71a44", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.staging", "request_line": "GET \/app\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.staging", "request_line": "GET \/app\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging", "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env UA Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD6… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) App Requête brute (extrait) GET /app/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a6467658c785f51c48af90041faf44204a34265b", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "628b9cb47d9f8d6e8fddc1b7d3cebf1133d17f4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.421423536662054, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "a91541b3181ab1101c512f74109d08b6c81b299b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "621468122e187fa5107552cbdddde9b1", "payload_hash": "50a56e569d7b11594acf2348c206d7e0", "path_pattern_hash": "6215588c522bb159cbcefac1cb9fb1de" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) App", "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) App", "evidence": { "method": "GET", "path": "\/app\/.env", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env HTTP\/1.1", "request_sample": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) App", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69aa93af5a520131d01c664b08ce262c0696beb7", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env", "request_line": "GET \/app\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mo\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) App", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env", "request_line": "GET \/app\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mo\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env", "evidence_snippet": "GET \/app\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) App", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.bak	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.bak UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.119 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.3 Requête brute (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.119 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "effaeb421c03aec98bc9d571db0d45d0997dbcac", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "675fe9576f3ec7add08a15dd0c540b55e5bbfdec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.4316933925155935, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "9b8acbad2d024bd3b2cf2d919f1c3c269cfdb16e", "event_fingerprint": "a588d65921623b6f390f712b4cd0b35d44e97eb8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2e256d129e88838c4320882bc57133c5", "payload_hash": "37ebdd19082debff011d7d04e74628a4", "path_pattern_hash": "a68a9dfeaee6097716a18c2b9f43c5f9" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.119", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.119\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.119", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.119\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "136b8b92ab4b8fcc8f3c360c330ecaf582d797a3", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.bak", "request_line": "GET \/app\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.bak", "request_line": "GET \/app\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak", "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.3", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.backup	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.backup UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3803.0 Safari/537.36 Edg/76.0.174.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/53 Requête brute (extrait) GET /app/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3803.0 Safari/537.36 Edg/76.0.174.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "85f60a89669895e774b6fe605a3752d880ce0161", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "b42013d9fc6faf7024bf195a915bf9a177806a2f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.396923634660416, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "fa81f2ef60494b9014cf7a6b0420c2db0569afe9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e0dde72cfa116ec21caf868d72647055", "payload_hash": "3f8056be3d5111a0e9999b2a7b336cbc", "path_pattern_hash": "114733505d40fc8a9280b409ddd76598" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "method": "GET", "path": "\/app\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36 Edg\/76.0.174.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.backup HTTP\/1.1", "request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36 Edg\/76.0.174.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/app\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36 Edg\/76.0.174.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.backup HTTP\/1.1", "request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36 Edg\/76.0.174.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "065c7e57b0eecdad3487720e4ff037b047ee6ff6", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.backup", "request_line": "GET \/app\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.backup", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.backup", "request_line": "GET \/app\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3803.0 Safari\/537.36\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.backup", "evidence_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.prod	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.prod UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537. Requête brute (extrait) GET /app/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "4184044bad7ba51283d3e6840c5dbec309a6ef27", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "ee922ae5907bc48e4659f274d485f8c67812795b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.364005799993586, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "af190117c1779a4e464b571c5f1a1327355a911b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2eaa9eb4cc81509736c0f74aaadee18f", "payload_hash": "fd7551f132c5db554be6f6c20fab269c", "path_pattern_hash": "22e14c6f65ce5c9bdbd96012d1745d82" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.", "method": "GET", "path": "\/app\/.env.prod", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.prod HTTP\/1.1", "request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/app\/.env.prod", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.prod HTTP\/1.1", "request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9a2dda9c82e3095852e8815568a286820dbd17aa", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.prod", "request_line": "GET \/app\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.prod", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.prod", "request_line": "GET \/app\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.prod", "evidence_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit\/537.", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/backend/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/backend/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/backend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/backend/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "aefd8fb3113a1f2ecde543eb73f45374a3f15318", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "97ef8b86f35b56a86d5dbe6549b6162a1d5ef49e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.431762723775102, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "3dbe9f6295b494c9e21b3d7fa9525586d50ae3b7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4f45f484003ae55c266f50b85b305d18", "payload_hash": "eb8b1f52764c7a4c1de34bd1402df8c4", "path_pattern_hash": "288b39c98eb1f440a224c00537d9552f" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/app\/backend\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/app\/backend\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "369ed01f35ad0d5896668c4d3dd4c5c52743d0ce", "protocol_details": { "http_method": "GET", "http_path": "\/app\/backend\/.env", "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/backend\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/backend\/.env", "request_line": "GET \/app\/backend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/backend\/.env", "evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /release/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /release/.env UA Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /release/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /release/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /release/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (K Requête brute (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "dea1a61ddc30695aca1aeaf2a046fb6ead36931d", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "3f4c975c51cd1d3df84592564ed06afe4e782992", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.448277075733424, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "c6fe9fe046bb630b7c52e57cc94e1dec9cefa568", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "03f070ae78a93490e9b479f8fa2b0e91", "payload_hash": "10953675a06a64ff27cdcc3a872657cf", "path_pattern_hash": "93883cb09f4769a367badfafc907183e" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (K", "method": "GET", "path": "\/release\/.env", "user_agent": "Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/release\/.env HTTP\/1.1", "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (K", "evidence": { "method": "GET", "path": "\/release\/.env", "user_agent": "Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/release\/.env HTTP\/1.1", "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8722a2a67f02f3c0cf2ca4ed71b78e2ecad93196", "protocol_details": { "http_method": "GET", "http_path": "\/release\/.env", "request_line": "GET \/release\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (K", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/release\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/release\/.env", "request_line": "GET \/release\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/release\/.env", "evidence_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (K", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.old	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.old UA Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 ( Requête brute (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "a0e58f0536f0d6d039ac38ea1afcfc639f14c579", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "1f4d8d4518e413ad6b5a41c5ce61d38167670e32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.374322057970625, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 9, "anomaly_count": 0, "campaign_key": "9b8acbad2d024bd3b2cf2d919f1c3c269cfdb16e", "event_fingerprint": "8dda894532f434062c0a6b8f1864a1d4e7d7137b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1432cb10f0aa4d0ad703f717b7fe97ee", "payload_hash": "e5d0df84757bf4710970104f676ce825", "path_pattern_hash": "253500a6a15b8bd3c8b0f4dfe71121e2" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (", "method": "GET", "path": "\/backend\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.old HTTP\/1.1", "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/backend\/.env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.old HTTP\/1.1", "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8784adac529717931be314ebda78e2e61a50f3f3", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.old", "request_line": "GET \/backend\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.old", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.old", "request_line": "GET \/backend\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.old", "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /uat/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /uat/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /uat/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /uat/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /uat/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 YaBrowser/19.6.0.1583 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (K Requête brute (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 YaBrowser/19.6.0.1583 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "8a0d3c36d342e07fca0f4e338490cf64702e86ff", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "1eb2933a38e1b26e0106588b5505e9710f93d6fb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.467376690746273, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "8e0da39d16dbebd9b0ec5a51f0e40d6f81c7c442", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "06f2d4a7b4271764433eb31e4582226a", "payload_hash": "c30e8e702b8c5aa7a86f34714a8828f7", "path_pattern_hash": "1a8fcb54c8457aab1171c5a3ff6b1128" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ecdf97066edf4c9317464b954b4b5525c8f69091", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/1\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/1\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.backup	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.backup UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.backup HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident Requête brute (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "63de3922903cd2b9b24b1d2bd23e4deb1b136a2e", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "010b38f2c3ba3880210fba1c683062ead6b6ee06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.306765877391956, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "022b3f0e99f6ed94af09aca21a59472f009e76f3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b2a4aaa6e64a823983ffd070c36d1dd5", "payload_hash": "265461c4aa13e1f30e474959c90bac95", "path_pattern_hash": "d21da08f9b6364ea0d2550ff45214b03" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident", "method": "GET", "path": "\/backend\/.env.backup", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident", "evidence": { "method": "GET", "path": "\/backend\/.env.backup", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b11e7ee6d3b63ef3aae89a7b9c48ea920b77bf1e", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.backup", "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.backup", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.backup", "request_line": "GET \/backend\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.backup", "evidence_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /development/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /development/.env UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /development/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /development/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /development/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "8db4cb7863732c8d40d7c353d01da0ef67f06e8b", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "368a782b06d2e3f08e91fcad6aa099df587b3caa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.4371485927388195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "faf3a5f6b20f18ba97b82ad88b0b1822052e8c53", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f4d23ff9620a784b6deac336784599f4", "payload_hash": "830a3e8b0b7b53cb99fbff8d1bbcb24d", "path_pattern_hash": "5ac5643a22156fcbe040fcd2350884e7" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/development\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/development\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22cd7f0b95e972da3e821f2af49f78a25f360289", "protocol_details": { "http_method": "GET", "http_path": "\/development\/.env", "request_line": "GET \/development\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 S\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/development\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/development\/.env", "request_line": "GET \/development\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/51.0.2704.79 Chrome\/51.0.2704.79 S\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/development\/.env", "evidence_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.production UA Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit Requête brute (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "78b3da388f07125922275ece3097b6f15cda702b", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.367269231290087, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "a7ed09d7aea2cc9144c5c265453fa7ceed4256ca", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2fe5bca2bb102783ce93b1df880741ca", "payload_hash": "7a371812b5d0d770c0bad69cebf6e786", "path_pattern_hash": "129b91fce99c27e6763c24ece35d5295" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit", "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit", "evidence": { "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "345d327cb56aeac09eeafac3cbec9f72b0e93faa", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.local UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.101 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537 Requête brute (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.101 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "d446e18ad7be25f69f7457fd6be7a645a1240021", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "6b35726d908ca1441d48958552cc4f0c6d6cdbcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.370059357512275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "933bf867a1d7d69e05a542ace02a10778dbde4b7", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a69f3fd3eff13377730a303cdf5f1647", "payload_hash": "d77383716aba23add5d4dcd81ba9e081", "path_pattern_hash": "d0aea5366423bcf3f26207cfc3fa52c7" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537", "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.101", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.101\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.101", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.101\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3294ec0e5476e77a805a52a84fc98daf6a60a3d", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; MATBJS; rv:11… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; MATBJS; rv:11.0) like Gecko Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; MATBJS; rv:11. Requête brute (extrait) GET /frontend/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; MATBJS; rv:11.0) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "f59ca95f4d53b0dff4b94e6acf073c1d2e7722b9", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "77987435bb3ae079ceddf1be0ca83f10bd79e60f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.303602195852084, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "fee6f59b65fcf4074cb37e7b527ab5118200f89c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "982b86c2c203f9276af6cfa8a282a823", "payload_hash": "15df0f9f93cde4dea3224a8b4fae9878", "path_pattern_hash": "2eb92b74c9200f7bfafce81d1b6d362c" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.", "method": "GET", "path": "\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env HTTP\/1.1", "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.", "evidence": { "method": "GET", "path": "\/frontend\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env HTTP\/1.1", "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e26cf385a6ffbb5fba87fe3024cd712ab4a4513", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env", "request_line": "GET \/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env", "request_line": "GET \/frontend\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.0) like Gecko", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env", "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; MATBJS; rv:11.", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /app/.env.old	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.old UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleW… Émulateur HTTP WAF 42 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /app/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /app/.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Règles WAF sqli-21 rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb Requête brute (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Accept-Charset: utf- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "4bb4290188685f5033767113f92b3972ed7795d9", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "ad318b5cc7cc0c1bf7e3b724fbebccf0a8e6ad42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 303, "payload_entropy": 5.453162802716867, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "bad3223a74dd2585b765cdc388ecd32cae2151d9", "event_fingerprint": "c91c590adf490a7c4674896605f5eb051323a391", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32be96c38f74d9e299607618d54e6b44", "payload_hash": "679d755ecc1bde3e79a5a2fd94a88abe", "path_pattern_hash": "8ac2cfa932003fc4c8032f73eb2729b9" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "method": "GET", "path": "\/app\/.env.old", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.old HTTP\/1.1", "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "evidence": { "method": "GET", "path": "\/app\/.env.old", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.old HTTP\/1.1", "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "66579360a124f02d0a678f9bb54956473749ddb5", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.old", "request_line": "GET \/app\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.old", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.old", "request_line": "GET \/app\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMes\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.old", "evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /qa/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /qa/.env UA MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC… Émulateur HTTP WAF 28 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /qa/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /qa/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /qa/.env HTTP/1.1` User-Agent MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Règles WAF lfi-14 nosqli-3 leak-1 Payload (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP Requête brute (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ec2870036eb100a12a1f9cd45d1d790b53eaa0de", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "347f368cf7019820ddbef16e4ba72b557e9ffd91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 212, "payload_entropy": 5.291894169262132, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "0ab4fc21ec500e50429183bf910e8095c3d31258", "event_fingerprint": "2ff2a3e008114e7b1c2f66a9e7c226be7c56d23f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "646a608cc6e81f1571102958b42b2a7d", "payload_hash": "4d6dfde00f5390490b731b4cc18dba6f", "path_pattern_hash": "304ba9ff810db7ae18a3843216ad1c4b" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP", "method": "GET", "path": "\/qa\/.env", "user_agent": "MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP", "evidence": { "method": "GET", "path": "\/qa\/.env", "user_agent": "MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "176558c32fe98fc5e89b4284407b3d927458efef", "protocol_details": { "http_method": "GET", "http_path": "\/qa\/.env", "request_line": "GET \/qa\/.env HTTP\/1.1", "http_user_agent": "MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/qa\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/qa\/.env", "request_line": "GET \/qa\/.env HTTP\/1.1", "http_user_agent": "MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/qa\/.env", "evidence_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.production UA Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/537.36… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.80 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb Requête brute (extrait) GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.80 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "460175b66ab00f05d386183cbbe10e27a95d105b", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "d9a2c7e4bfc8a23ebeeaa1888ef5fa4be1e92ee6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.379296290343341, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "ebb7a18f5fdcecdcc8b777a086845423aab6277a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6c9cbb20d4b77e5db0da336189434c7", "payload_hash": "23018fdd1334ea76af932a7fb4c21e6e", "path_pattern_hash": "6f5e9dea5f57f4e72146c7e773e7255d" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb", "method": "GET", "path": "\/frontend\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.production HTTP\/1.1", "request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb", "evidence": { "method": "GET", "path": "\/frontend\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.production HTTP\/1.1", "request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55521acc8aadc28e8d297e6309b63fcccdb5f845", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.production", "request_line": "GET \/frontend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/5\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.production", "request_line": "GET \/frontend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/5\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.production", "evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWeb", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /backend/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.production UA Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /backend/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KH Requête brute (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "a90301c84e5f910b80adf0955d8fe2e88bca82d2", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "f5bb9f02b8945472030d827baea0ca721346631c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.4012843025324555, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "9297d33944518c3da3e30d227a48a3eba41a4842", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7832c45308a9d6632660ba443b09b187", "payload_hash": "7b7a9a4a7c836fdb55099d1460a6f855", "path_pattern_hash": "36d1a8d01ff9d9e501d856bd9686d325" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/backend\/.env.production", "user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.production HTTP\/1.1", "request_sample": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "644e9c3870c191088570e2ae8dea7b0293261824", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.production", "request_line": "GET \/backend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KH", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.production", "request_line": "GET \/backend\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Raspbian Chromium\/72.0.3626.121 Chrome\/72.0.3626\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.production", "evidence_snippet": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KH", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.backup	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.backup UA Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; w… Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /frontend/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/6475 M… Règles WAF sqli-21 rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-A Requête brute (extrait) GET /frontend/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; VTR-AL00 Build/HUAWEIVTR-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "8530e1879e96eddd1151a96f3cad2206feb27fb2", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "041ec2294a1481dc3081607b44ac63096bc8be9b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 415, "payload_entropy": 5.580750024906874, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 8, "anomaly_count": 0, "campaign_key": "f323b7ac5647db66ce2e6b6e7c29160629f492b6", "event_fingerprint": "99ee4403dbec4eac6aa9c79f3572e6965c1e6d84", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4ef1cd2493b59bfeff49284d89f3b2bd", "payload_hash": "d5ec6ad947d87e47d11bba0828ae9990", "path_pattern_hash": "63098b77ef1e7ed1f9ff56d3ae7886f5" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "method": "GET", "path": "\/frontend\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/6475 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.backup HTTP\/1.1", "payload_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-A", "evidence": { "method": "GET", "path": "\/frontend\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/6475 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.backup HTTP\/1.1", "request_sample": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 ", "payload_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-A", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec0b90777bececac9dda2dc329d0b72861b64e9c", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.backup", "request_line": "GET \/frontend\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-A", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.backup", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.backup", "request_line": "GET \/frontend\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.backup", "evidence_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VTR-AL00 Build\/HUAWEIVTR-A", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.staging	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.staging UA Mozilla/5.0 (Linux; Android 7.0; LGUS997 Build/NRD90U) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; LGUS997 Build/NRD90U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGUS997 Build/NRD90U) A Requête brute (extrait) GET /frontend/.env.staging HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGUS997 Build/NRD90U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "228093dfc8613d5849462c5a76e09e1ed546d775", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "b9354afd7c7fbb8f226b6c5ad37595989c02511e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 276, "payload_entropy": 5.460219753715287, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "6a66131993f376e18f6f0ff1695d5a10f30ee13a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2672f4668bf1c319d541ae1310315577", "payload_hash": "48df1b776c840f9a612e7db2752c62d7", "path_pattern_hash": "d743fa13fb1b94912fe1841ecd591349" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) A", "method": "GET", "path": "\/frontend\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.staging HTTP\/1.1", "request_sample": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) A", "evidence": { "method": "GET", "path": "\/frontend\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.staging HTTP\/1.1", "request_sample": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) A", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c86180d51fe01a0eb5eb58b95f351409603ba3f", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.staging", "request_line": "GET \/frontend\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobi\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) A", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.staging", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.staging", "request_line": "GET \/frontend\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobi\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.staging", "evidence_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGUS997 Build\/NRD90U) A", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/api/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/api/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /src/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.3 Requête brute (extrait) GET /src/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "3be8d07c47410fc9537447c946c078cd1a41da3f", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "b2a18b35c3f8a9a70962b13b254a203c7ed83824", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.388789077914467, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "0f05469cc1d803bfa996b499a205ee8f8c01e78e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1214c8ac3ccda5b65f516e92df270adc", "payload_hash": "bb8f7d556130a7f2d6b274ec17a3aa34", "path_pattern_hash": "422818afedd28569d60d1f16deec3108" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.3", "method": "GET", "path": "\/src\/api\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/api\/.env HTTP\/1.1", "request_sample": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/src\/api\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/api\/.env HTTP\/1.1", "request_sample": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0693c60fd40015ec451714ebf95c64a7da24aa5e", "protocol_details": { "http_method": "GET", "http_path": "\/src\/api\/.env", "request_line": "GET \/src\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/api\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/api\/.env", "request_line": "GET \/src\/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/api\/.env", "evidence_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.3", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.local UA Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, Requête brute (extrait) GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "a178d1ad304a2c1c03f0710b15e57c19414c53ff", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "7437aaaafc9e223d971228fe59fdee61b9d620d5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.395257756292181, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "54e0d75f98f18721ab3e307e999b7fecbe12b7b2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "539f85876cba5fa19c49ef4b6d59c4fc", "payload_hash": "feb182983f5591aa18d7b5bebdcd2368", "path_pattern_hash": "d7ae154bfa816b480978a2899fe639ce" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML,", "method": "GET", "path": "\/frontend\/.env.local", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.local HTTP\/1.1", "request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML,", "evidence": { "method": "GET", "path": "\/frontend\/.env.local", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.local HTTP\/1.1", "request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "549d2373e347c6422d9e74834a087155ec54c642", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.local", "request_line": "GET \/frontend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.local", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.local", "request_line": "GET \/frontend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.local", "evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML,", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/.env	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/.env UA CSSCheck/1.2.2 Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950468:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /src/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /src/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env HTTP/1.1` User-Agent CSSCheck/1.2.2 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Requête brute (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "cb8594eccbdf56c7162c02a2893c5d365580e0fb", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "0c533120cce5f9ceabf0223e76a6dc86fc19a74f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 142, "payload_entropy": 5.061785146088817, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1e9a518a4295092077633180c9043273d4bf71ca", "event_fingerprint": "8b556daeeeb7dbb9a1ebf1678b8c611e8d795ffe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6a74c534e4f9257281a7fcee14cd5e3", "payload_hash": "856a18513516894393e36ca498c23181", "path_pattern_hash": "1be4509071ea53617b7e83d68c291bb4" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "method": "GET", "path": "\/src\/.env", "user_agent": "CSSCheck\/1.2.2", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "evidence": { "method": "GET", "path": "\/src\/.env", "user_agent": "CSSCheck\/1.2.2", "waf_tags": [ "950468:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env HTTP\/1.1", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f190c6641baf65253f33340be5fea922fa2a81ac", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "CSSCheck\/1.2.2", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env", "request_line": "GET \/src\/.env HTTP\/1.1", "http_user_agent": "CSSCheck\/1.2.2", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env", "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.prod	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.prod UA Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 Requête brute (extrait) GET /frontend/.env.prod HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "59fe7753801d9b0030bde7c6461fcc6a8be9f023", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "cf3ece5c26ce77d1afb6b3a84469b6cc81aaf4e1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.38755734289716, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "80b3094cc3da1277f6524f0f6370dd1a455e8c5a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a9b3a0f1e02bf4f12d32a74f30f4489", "payload_hash": "cdaf8da47415cda43aa2c1fce084ce99", "path_pattern_hash": "b602f165e7f6eb051e1d5630d1727616" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 ", "method": "GET", "path": "\/frontend\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.prod HTTP\/1.1", "request_sample": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/frontend\/.env.prod", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.prod HTTP\/1.1", "request_sample": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a44cbbef1f7a260b7bb5ba084d95e1b0d49df7ac", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.prod", "request_line": "GET \/frontend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.prod", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.prod", "request_line": "GET \/frontend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.prod", "evidence_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L09) AppleWebKit\/537.36", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/.env.local	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/.env.local UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /src/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537 Requête brute (extrait) GET /src/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "bc8a9e17b3f2437b80157fcbed44004e8eb88780", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "e4304ce88152d59a50dc3020ea792863da65ad77", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.415173624802731, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "6aca9092d55d13eff2f160285c97b7f954f08269", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "61c42f3e687a00c4154e16053704e7f4", "payload_hash": "19baaf9c69cb367666e911ab8b7cebfd", "path_pattern_hash": "0ca29e8f6e861d700e912e83099b82f9" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537", "method": "GET", "path": "\/src\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.local HTTP\/1.1", "request_sample": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/src\/.env.local", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.local HTTP\/1.1", "request_sample": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6bf19a8d483ed937da59182e6770240bf016bf44", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.local", "request_line": "GET \/src\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.local", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.local", "request_line": "GET \/src\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.98 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.local", "evidence_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/537", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /internal/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /internal/.env UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /internal/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /internal/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3269.3 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3269.3 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "7aa24048a7e434c38d31af7ae5d274fb95300ef0", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "bbff311646149e77bbf27c4899ac7dbcb7bb94dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.425005507258175, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 8, "anomaly_count": 0, "campaign_key": "57dceceacd0e72060f29c4328f05836417d8a84e", "event_fingerprint": "088ef1fb2b4b2f69d49fb13a2589933144e1034a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4c00b1276d70a58f8b24b5b7aaa1f7f7", "payload_hash": "a5b30a5f1547015c6b7dac2e678ff82d", "path_pattern_hash": "929e3be7d81c0f83bf54b6e32e9b030d" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/internal\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env HTTP\/1.1", "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/internal\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env HTTP\/1.1", "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bb1b521ee94c01f4df1d82dcc1171f4c2328961", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env", "request_line": "GET \/internal\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env", "request_line": "GET \/internal\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3269.3 Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env", "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_internal", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /admin/.env	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /admin/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /admin/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 (KH Requête brute (extrait) GET /admin/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "8bff162a752372bdcb7eab1d001746f716362134", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "9bae73d08848be44521e9c4d49360c6e081f0fff", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.411981302780119, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "570bed5d702b6b1a6014d74df97319c276485c6f", "event_fingerprint": "378cb3996ff6ba94c70f7d093281de281f99d350", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "26dbf1c1d48c70e0f4c80a23088b98fc", "payload_hash": "03c460e68f8d2363c89972fe59412182", "path_pattern_hash": "36de7f489df887c3e31f5a951469f711" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/admin\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env HTTP\/1.1", "request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/admin\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env HTTP\/1.1", "request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ad7d2828347fff565c16b080546d15c75778ab6e", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env", "request_line": "GET \/admin\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KH", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env", "request_line": "GET \/admin\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env", "evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935U) AppleWebKit\/537.36 (KH", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /internal/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /internal/.env.production UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /internal/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /internal/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple Requête brute (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "3df4c8180ffcf5965502bca3b82e103e876f7c20", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "d290e289983be8731f71ebf018001c11bad4ee88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.373891513560576, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 8, "anomaly_count": 0, "campaign_key": "57dceceacd0e72060f29c4328f05836417d8a84e", "event_fingerprint": "a7564de3f3cafa996c56192036f19d8d315eb9ef", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3be1a84eefbef370a455ffb3722e0bc6", "payload_hash": "eb60c26bccfc6cdd7bd61c1db9184c9a", "path_pattern_hash": "82c27c01e593b4c327a9fce0421e0d53" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple", "method": "GET", "path": "\/internal\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env.production HTTP\/1.1", "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple", "evidence": { "method": "GET", "path": "\/internal\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/internal\/.env.production HTTP\/1.1", "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a9e886e2cd95019882f04c07d56f6c4785a3569", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env.production", "request_line": "GET \/internal\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/.env.production", "request_line": "GET \/internal\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production", "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) Apple", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_internal", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/.env.backup	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/.env.backup UA Mozilla/5.0 (Linux; Android 9; CLT-L29 Build/HUAWEICLT-L29) App… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /src/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; CLT-L29 Build/HUAWEICLT-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36 OPR/48.1.2331.132804 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L29 Build/HUAWEICLT-L29) Ap Requête brute (extrait) GET /src/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L29 Build/HUAWEICLT-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36 OPR/48.1.2331.132804 Accept-Charset: utf-8 Acce Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "455571380d7a0070523283b3a5b2af470fc33d01", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "e2c1e948277f8c3df734e217f074ce4258c3cbfa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 296, "payload_entropy": 5.526295257218627, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "be6a3ff0ba64ddf9572904254ef508e6d2f0921b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f7eba6333e178e4dc521e739a5b83fac", "payload_hash": "453e3f653c834a2bc3c455cd7f967657", "path_pattern_hash": "c8b12b4b569bce0b37c2e64eafb947f3" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) Ap", "method": "GET", "path": "\/src\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Mobile Safari\/537.36 OPR\/48.1.2331.132804", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.backup HTTP\/1.1", "request_sample": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Mobile Safari\/537.36 OPR\/48.1.2331.132804\r\nAccept-Charset: utf-8\r\nAcce", "payload_snippet": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) Ap", "evidence": { "method": "GET", "path": "\/src\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Mobile Safari\/537.36 OPR\/48.1.2331.132804", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.backup HTTP\/1.1", "request_sample": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Mobile Safari\/537.36 OPR\/48.1.2331.132804\r\nAccept-Charset: utf-8\r\nAcce", "payload_snippet": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) Ap", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91f5b532758171ca0df9f66ddfc0b2cd7467b7b9", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.backup", "request_line": "GET \/src\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) Ap", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.backup", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.backup", "request_line": "GET \/src\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.backup", "evidence_snippet": "GET \/src\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29 Build\/HUAWEICLT-L29) Ap", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /src/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /src/.env.production UA Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /src/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /src/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /src/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit Requête brute (extrait) GET /src/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "e49a7439cebcce6d5c439cd6c1205938e7083445", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "599f2d9bd6aa582bb5354e432e5e7dbc94c61beb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.388386850654811, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "84f823be21003067efbc30335cfa60bd7e314172", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "832ba0aa154c0b81d15744476e356ea3", "payload_hash": "a8abbf26c7c1f8983a4fd6b9aa22e73b", "path_pattern_hash": "e052e9698e07c6e60c0f023221efaf20" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit", "method": "GET", "path": "\/src\/.env.production", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\/600.1.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.production HTTP\/1.1", "request_sample": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit", "evidence": { "method": "GET", "path": "\/src\/.env.production", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\/600.1.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/src\/.env.production HTTP\/1.1", "request_sample": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd0736d942ae612e65e5e55afc0e1ecdd894e715", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.production", "request_line": "GET \/src\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/.env.production", "request_line": "GET \/src\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) Version\/8.0 Mobile\/12H321 Safari\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.env.production", "evidence_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /admin/api/.env	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/api/.env UA BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_admin_panel_probe Cible HTTP GET /admin/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /admin/api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/api/.env HTTP/1.1` User-Agent BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /admin/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1. Requête brute (extrait) GET /admin/api/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "5213a3dee29390f1601bf050812aaa2f5e3e3acd", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "457eece9ef431f7c5ef47fc5eabd74481382950d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 211, "payload_entropy": 5.288775130688054, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 9, "anomaly_count": 0, "campaign_key": "4170e0a58e6cef661f98595d5f2f95fd60243558", "event_fingerprint": "df059d52c2fc8acd43c7a230d89a4c4fc859957a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "946329703707544255caca1836803207", "payload_hash": "6b1696ac4d94eb05d8d5536f6f8c31a2", "path_pattern_hash": "eb0b318a7b8e99b7782318c2869ecac1" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.", "method": "GET", "path": "\/admin\/api\/.env", "user_agent": "BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/api\/.env HTTP\/1.1", "request_sample": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.", "evidence": { "method": "GET", "path": "\/admin\/api\/.env", "user_agent": "BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/api\/.env HTTP\/1.1", "request_sample": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aefe5672db8cfbab8c56a7f55de304469e186cee", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/api\/.env", "request_line": "GET \/admin\/api\/.env HTTP\/1.1", "http_user_agent": "BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/api\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/api\/.env", "request_line": "GET \/admin\/api\/.env HTTP\/1.1", "http_user_agent": "BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/api\/.env", "evidence_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /frontend/.env.dev	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /frontend/.env.dev UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /frontend/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /frontend/.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /frontend/.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /frontend/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /frontend/.env.dev HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "4e6c05989d2ca84ac2660b4faca5a241d97ecc17", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "c038a771c7c9859031021bfbc55da91693d8463c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.451282312373215, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "b6edd27e5a60f726036f143e45ed156c53fad9b9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2387428a1cf084142d93ceb87d13a00a", "payload_hash": "dd3f938c2fd1905b83ff8e7bb40630de", "path_pattern_hash": "0210417b51ca7f1ff86d34574422463e" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/frontend\/.env.dev", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.dev HTTP\/1.1", "request_sample": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/frontend\/.env.dev", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/frontend\/.env.dev HTTP\/1.1", "request_sample": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4eadf263ac0133cbe423a699e34bb74bcfd8f708", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.dev", "request_line": "GET \/frontend\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.dev", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/frontend\/.env.dev", "request_line": "GET \/frontend\/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.dev", "evidence_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /admin/.env.backup	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env.backup UA WebZIP/3.5 (http://www.spidersoft.com) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /admin/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « ssrf-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env.backup HTTP/1.1` User-Agent WebZIP/3.5 (http://www.spidersoft.com) Règles WAF ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: WebZIP/3.5 (http://www.spidersoft.com) Accept-Charset: utf- Requête brute (extrait) GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: WebZIP/3.5 (http://www.spidersoft.com) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "4fe070a60e2fafa077e38d0315547db4cd073da7", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "32e03e003a51f542f710beeac8e15f008c3f65ad", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 175, "payload_entropy": 5.243889881854913, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "cbaf0dc42f1313c923a2a378225f8af53afd3f76", "event_fingerprint": "dfb12482a76d3997a66ad841e6435a7b3a915e9a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Double-dot bypass", "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0103", "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f5a3d164aca738f351bde606467db9ab", "payload_hash": "1dec365158a60f58c92fd8e85cfb3226", "path_pattern_hash": "9967aebe85bc5150552d43732fce77c0" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-", "method": "GET", "path": "\/admin\/.env.backup", "user_agent": "WebZIP\/3.5 (http:\/\/www.spidersoft.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.backup HTTP\/1.1", "request_sample": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-", "evidence": { "method": "GET", "path": "\/admin\/.env.backup", "user_agent": "WebZIP\/3.5 (http:\/\/www.spidersoft.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.backup HTTP\/1.1", "request_sample": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1ced4860911cbf6864bdefbc8d1ee7be842711a", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.backup", "request_line": "GET \/admin\/.env.backup HTTP\/1.1", "http_user_agent": "WebZIP\/3.5 (http:\/\/www.spidersoft.com)", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.backup", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.backup", "request_line": "GET \/admin\/.env.backup HTTP\/1.1", "http_user_agent": "WebZIP\/3.5 (http:\/\/www.spidersoft.com)", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.backup", "evidence_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: WebZIP\/3.5 (http:\/\/www.spidersoft.com)\r\nAccept-Charset: utf-", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /services/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/.env.production UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.3… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /services/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe Requête brute (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "84c75482fdef0a4798619e9b7d389fd65ba79acd", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "7ad14949ad0b183b675db2d36d2d5b72ec09f204", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.423186161605249, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "9f3f24f59ec9c9a9a4bcb4eeb820c12e9b2deb52", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3dd2d5718cccb3969b1019b3f0860581", "payload_hash": "eef8f973f706c93aa4c9fd222c428171", "path_pattern_hash": "211e3ccc5c91dea183ab66efa73c6a45" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe", "method": "GET", "path": "\/services\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.production HTTP\/1.1", "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe", "evidence": { "method": "GET", "path": "\/services\/.env.production", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env.production HTTP\/1.1", "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d4a035321bd7c99bdbb5c7b3727ca3482971b14", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.production", "request_line": "GET \/services\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env.production", "request_line": "GET \/services\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env.production", "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWe", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /admin/.env.local	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/.env.local UA Mozilla/5.0 (Linux; Android 9; Mi A1) AppleWebKit/537.36 (KHTML… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /admin/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 71 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Mi A1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /admin/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi A1) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /admin/.env.local HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi A1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "b20899154b391ba904a4790d442037e0400efd45", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "5104f09772fa402efdc8eb0bc2114ecf6407730d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.369545595521339, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 10, "anomaly_count": 0, "campaign_key": "570bed5d702b6b1a6014d74df97319c276485c6f", "event_fingerprint": "8ac40bc2dd5992e1caf7fe5fa90f9304274fcf56", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "763c6a8b87f2aa1f3b73ef64d956b516", "payload_hash": "86e2204cbd02fa9ec3db006adbed269c", "path_pattern_hash": "8b44c48d7af23ff178b0954ed1a8265f" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/admin\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.local HTTP\/1.1", "request_sample": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/admin\/.env.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/admin\/.env.local HTTP\/1.1", "request_sample": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "35daec772c16fbac947d45c8578bf9d9872db5ec", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.local", "request_line": "GET \/admin\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.local", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/.env.local", "request_line": "GET \/admin\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.local", "evidence_snippet": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A1) AppleWebKit\/537.36 (KHT", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_admin_panel_scan", "http_backup_file_scan", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /services/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/.env UA Mozilla/5.0 (Linux; Android 8.0.0; moto e5 cruise Build/OCPS27.… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /services/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; moto e5 cruise Build/OCPS27.91-157-12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.91 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /services/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 cruise Build/OCPS27.9 Requête brute (extrait) GET /services/.env HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; moto e5 cruise Build/OCPS27.91-157-12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.91 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encodin Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ca35d74e05796f7988a94ed1338cd6588e2cb254", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "0438360fe7a9b359faf44a16aed4ce35cf36b045", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 286, "payload_entropy": 5.4320794631639435, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "747f419345c23f099f46ad1c7cbc9c911c9152a8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8ba5c6515cf00a95c13450ef1541a010", "payload_hash": "740f474a8b78193fefb9cefad6aba65c", "path_pattern_hash": "992024052ce1ab31c9bd1890c9e7f02b" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.9", "method": "GET", "path": "\/services\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env HTTP\/1.1", "request_sample": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.9", "evidence": { "method": "GET", "path": "\/services\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/services\/.env HTTP\/1.1", "request_sample": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "143e210666846fb0096b3f15b15d7aa996b74e45", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env", "request_line": "GET \/services\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.9", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/.env", "request_line": "GET \/services\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.91-157-12) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/.env", "evidence_snippet": "GET \/services\/.env HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 cruise Build\/OCPS27.9", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:17 UTC	TCP	7002 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7002 · (tentative d'exploit) · → /server/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /server/.env.production UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /server/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7002 Chemin / cible /server/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe Requête brute (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:7002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "de40d70ce65eb7b23cecd78aab90c218214b034d", "http_host_hash": "c00ce26d3a5e014e932dd8f3e8d22128e1d85fff", "http_target_hash": "c5a8bf9f86075206f2cab5a2cf1a94aed3e22719", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.391017111291004, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 7, "anomaly_count": 0, "campaign_key": "075b88e2058be8ac498c38c8e6c9f699ddfa9fc5", "event_fingerprint": "f8218d3d113fa561529f407ae81f5c10496042a4", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fd357f1c7f6c115cfc51a0aee2a37e5a", "payload_hash": "a05eda96a0dc84fcd912d23af0349f37", "path_pattern_hash": "a00e13282480bcd571abdd94022996e0" }, "target_context": { "dst_port": 7002, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe", "method": "GET", "path": "\/server\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.production HTTP\/1.1", "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe", "evidence": { "method": "GET", "path": "\/server\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/server\/.env.production HTTP\/1.1", "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d031c591a184a9784864167977740c269b8b136", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.production", "request_line": "GET \/server\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe", "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.production", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/.env.production", "request_line": "GET \/server\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 7002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.production", "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:7002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWe", "target_port_label": "7002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "weblogic-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:56:16 UTC	TCP	7002 · WEBLOGIC SSL	weblogic-ssl	Sonde PostgreSQL postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC-SSL WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7002 Chemin / cible — Service WEBLOGIC SSL Payload ��0� X�/T�v@��6ӱ�� n@L��m `ࢦ&Y�d<��Al2 {��u�,��,�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��0� X�/T�v@��6ӱ�� n@L��m `ࢦ&Y�d<��Al2{��u�,��,�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��0� X�/T�v@��6ӱ�� n@L��m `ࢦ&Y�d<��Al2 {��u�,��,�&�+�/�,�0̨̩� �� /5� w �+3&$ �%�::�ax��W�<1�`W��=��t�s+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.814173447068637, "port_category": "registered", "org": "Google LLC", "service": "weblogic-ssl", "app_proto": "weblogic-ssl", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57", "event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "weblogic-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4626850cdcee183d6fe54ad81aeb7713", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7002, "service": "weblogic-ssl", "service_name": "weblogic-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\u0017\u0015\ufffd\u000b\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u0002\u0016\u08a6&Y\ufffdd<\u0017\ufffd\ufffd\u001a\ufffdAl2\u000b{\ufffd\ufffd\ufffdu\ufffd,\ufffd\u001b\ufffd,\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\u0017\u0015\ufffd\u000b\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u0002\u0016\u08a6&Y\ufffdd<\u0017\ufffd\ufffd\u001a\ufffdAl2\u000b{\ufffd\ufffd\ufffdu\ufffd,\ufffd\u001b\ufffd,\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd%\ufffd::\ufffdax\ufffd\ufffdW\ufffd\u0000<1\ufffd`W\ufffd\ufffd=\ufffd\u0015\ufffd\b\ufffdt\ufffds+\u0012", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\u0017\u0015\ufffd\u000b\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u0002\u0016\u08a6&Y\ufffdd<\u0017\ufffd\ufffd\u001a\ufffdAl2\u000b{\ufffd\ufffd\ufffdu\ufffd,\ufffd\u001b\ufffd,\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b158b6fce2c5783eeb70b90873db90b80645e2a1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\u0017\u0015\ufffd\u000b\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u0002\u0016\u08a6&Y\ufffdd<\u0017\ufffd\ufffd\u001a\ufffdAl2\u000b{\ufffd\ufffd\ufffdu\ufffd,\ufffd\u001b\ufffd,\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "evidence_snippet": "\ufffd\ufffd\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\ufffd\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u08a6&Y\ufffdd<\ufffd\ufffd\ufffdAl2{\ufffd\ufffd\ufffdu\ufffd,\ufffd\ufffd,\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\u0017\u0015\ufffd\u000b\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u0002\u0016\u08a6&Y\ufffdd<\u0017\ufffd\ufffd\u001a\ufffdAl2\u000b{\ufffd\ufffd\ufffdu\ufffd,\ufffd\u001b\ufffd,\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd0\ufffd X\ufffd\/T\ufffdv@\ufffd\ufffd\ufffd6\u04f1\ufffd\ufffd\ufffd\r\ufffd\ufffdn@L\ufffd\ufffdm `\u08a6&Y\ufffdd<\ufffd\ufffd\ufffdAl2{\ufffd\ufffd\ufffdu\ufffd,\ufffd\ufffd,\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic_ssl", "service_banner": "honeypot-weblogic-ssl", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:56:16 UTC	TCP	7002 · WEBLOGIC SSL	weblogic-ssl	Sonde PostgreSQL postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC-SSL WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7002 Chemin / cible — Service WEBLOGIC SSL Payload ��\D�M1{�ab��9��c�׆Df� '�7 ��3<k�]g�w��}ͽE9�JաSxW�t]0��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��\D�M1{�ab��9��c�׆Df� '�7 ��3<k�]g�w��}ͽE9�JաSxW�t]0��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\D�M1{�ab��9��c�׆Df� '�7 ��3<k�]g�w��}ͽE9�JաSxW�t]0��&�+�/�,�0̨̩� �� /5� w �+3&$ �i� �Tĥ��x�:-�� ka�s��U�J� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.816159456296111, "port_category": "registered", "org": "Google LLC", "service": "weblogic-ssl", "app_proto": "weblogic-ssl", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57", "event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "weblogic-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "42d1bc7360b4691c29f569a4d96ef1ba", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7002, "service": "weblogic-ssl", "service_name": "weblogic-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\D\ufffd\u0012M1\u0002{\ufffdab\ufffd\ufffd\u0002\ufffd\u0017\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd \u0016'\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\u001a\u0003\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\D\ufffd\u0012M1\u0002{\ufffdab\ufffd\ufffd\u0002\ufffd\u0017\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd \u0016'\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\u001a\u0003\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdi\ufffd\n\ufffdT\u0125\ufffd\ufffd\ufffdx\ufffd:-\ufffd\ufffd\ufffd ka\ufffds\ufffd\ufffd\ufffdU\ufffdJ\ufffd\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\D\ufffd\u0012M1\u0002{\ufffdab\ufffd\ufffd\u0002\ufffd\u0017\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd \u0016'\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\u001a\u0003\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d37600417ff4fb7cf60afc43531a2a87b1c1e3a6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\D\ufffd\u0012M1\u0002{\ufffdab\ufffd\ufffd\u0002\ufffd\u0017\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd \u0016'\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\u001a\u0003\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "evidence_snippet": "\ufffd\ufffd\\D\ufffdM1{\ufffdab\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd '\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\D\ufffd\u0012M1\u0002{\ufffdab\ufffd\ufffd\u0002\ufffd\u0017\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd \u0016'\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\u001a\u0003\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\\D\ufffdM1{\ufffdab\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffdc\ufffd\u05c6Df\ufffd '\ufffd7 \ufffd\ufffd3<k\ufffd]g\ufffdw\ufffd\ufffd}\u037dE9\ufffdJ\u0561SxW\ufffdt]0\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic_ssl", "service_banner": "honeypot-weblogic-ssl", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:56:16 UTC	TCP	7002 · WEBLOGIC SSL	weblogic-ssl	Sonde PostgreSQL postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC-SSL WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7002 Chemin / cible — Service WEBLOGIC SSL Payload ����t�;�_G_�j"G8�I�� g!��SM�u c$hU%�ߊ�� 5��+O�:�2��5ݝ�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ����t�;�_G_�j"G8�I�� g!��SM�u c$hU%�ߊ�� 5��+O�:�2��5ݝ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ����t�;�_G_�j"G8�I�� g!��SM�u c$hU%�ߊ�� 5��+O�:�2��5ݝ�&�+�/�,�0̨̩� �� /5� w �+3&$ �z��7g��y��T^��3��x�~ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.840110161742585, "port_category": "registered", "org": "Google LLC", "service": "weblogic-ssl", "app_proto": "weblogic-ssl", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57", "event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "weblogic-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a9a7a63aa9e2ee73b09dc160ba3c1234", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7002, "service": "weblogic-ssl", "service_name": "weblogic-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd;\ufffd\u0015_\u000fG_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu \u0007c$h\u0004U%\ufffd\u07ca\ufffd\ufffd\ufffd\n\u00005\ufffd\ufffd+O\ufffd:\ufffd\u001e2\ufffd\ufffd\u001e5\u075d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd;\ufffd\u0015_\u000fG_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu \u0007c$h\u0004U%\ufffd\u07ca\ufffd\ufffd\ufffd\n\u00005\ufffd\ufffd+O\ufffd:\ufffd\u001e2\ufffd\ufffd\u001e5\u075d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdz\ufffd\ufffd\u0010\ufffd7\u0000g\ufffd\ufffd\u0012y\ufffd\ufffd\ufffdT^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffd\ufffd\u000e\ufffdx\ufffd~", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd;\ufffd\u0015_\u000fG_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu \u0007c$h\u0004U%\ufffd\u07ca\ufffd\ufffd\ufffd\n\u00005\ufffd\ufffd+O\ufffd:\ufffd\u001e2\ufffd\ufffd\u001e5\u075d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36845a6627d6b2ca513c52972bbfa878bdbf75e0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd;\ufffd\u0015_\u000fG_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu \u0007c$h\u0004U%\ufffd\u07ca\ufffd\ufffd\ufffd\n\u00005\ufffd\ufffd+O\ufffd:\ufffd\u001e2\ufffd\ufffd\u001e5\u075d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdt\ufffd;\ufffd_G_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu c$hU%\ufffd\u07ca\ufffd\ufffd\ufffd\n5\ufffd\ufffd+O\ufffd:\ufffd2\ufffd\ufffd5\u075d\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdt\ufffd;\ufffd\u0015_\u000fG_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu \u0007c$h\u0004U%\ufffd\u07ca\ufffd\ufffd\ufffd\n\u00005\ufffd\ufffd+O\ufffd:\ufffd\u001e2\ufffd\ufffd\u001e5\u075d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd*\ufffd\ufffdt\ufffd;\ufffd_G_\ufffdj\"G8\ufffdI\ufffd\ufffd\tg!\ufffd\ufffd\ufffdSM\ufffdu c$hU%\ufffd\u07ca\ufffd\ufffd\ufffd\n5\ufffd\ufffd+O\ufffd:\ufffd2\ufffd\ufffd5\u075d\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic_ssl", "service_banner": "honeypot-weblogic-ssl", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:56:16 UTC	TCP	7002 · WEBLOGIC SSL	weblogic-ssl	Sonde PostgreSQL postgres probe · via WEBLOGIC SSL:7002 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur WEBLOGIC-SSL WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7002 Chemin / cible — Service WEBLOGIC SSL Payload ��`�Z�H��1̎��Aj�h��<��KT �7�mY`��y�1�ή�� /��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��`�Z�H��1̎��Aj�h��<��KT �7�mY`��y�1�ή�� /��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��`�Z�H��1̎��Aj�h��<��KT �7�mY`��y�1�ή�� /��&�+�/�,�0̨̩� �� /5� w �+3&$ 4�V��ǧ?L��o�`[\�}5f�F��x�"S Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8268928500735235, "port_category": "registered", "org": "Google LLC", "service": "weblogic-ssl", "app_proto": "weblogic-ssl", "asn": 396982, "country": "TW", "dst_port": 7002, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "768be4b9afd17e03b5590f7c4d566d3e2258ec57", "event_fingerprint": "093baabd306b0c56caa76a305bdcd4f0ffb23c03", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "weblogic-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6d17d5a596e00b3a15d44fb19166f607", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7002, "service": "weblogic-ssl", "service_name": "weblogic-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\u001e\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\u0018\ufffd\ufffd\u0016\ufffd<\ufffd\ufffdK\u001fT \u000b\u0007\ufffd7\ufffd\u0007mY`\u0017\ufffd\ufffdy\u001a\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\u0013\ufffd\/\u0018\ufffd\ufffd\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\u001e\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\u0018\ufffd\ufffd\u0016\ufffd<\ufffd\ufffdK\u001fT \u000b\u0007\ufffd7\ufffd\u0007mY`\u0017\ufffd\ufffdy\u001a\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\u0013\ufffd\/\u0018\ufffd\ufffd\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0017\u00124\ufffdV\ufffd\ufffd\u01e7?L\ufffd\ufffd\ufffdo\ufffd`[\u0005\\\ufffd}5f\ufffdF\ufffd\ufffdx\ufffd\"S", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\u001e\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\u0018\ufffd\ufffd\u0016\ufffd<\ufffd\ufffdK\u001fT \u000b\u0007\ufffd7\ufffd\u0007mY`\u0017\ufffd\ufffdy\u001a\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\u0013\ufffd\/\u0018\ufffd\ufffd\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1eae600f7c3056b87529742e68f380edf5109319", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\u001e\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\u0018\ufffd\ufffd\u0016\ufffd<\ufffd\ufffdK\u001fT \u000b\u0007\ufffd7\ufffd\u0007mY`\u0017\ufffd\ufffdy\u001a\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\u0013\ufffd\/\u0018\ufffd\ufffd\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "evidence_snippet": "\ufffd\ufffd\ufffd`\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdKT \ufffd7\ufffdmY`\ufffd\ufffdy\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\ufffd\/\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL", "dst_port": 7002, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\u001e\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\u0018\ufffd\ufffd\u0016\ufffd<\ufffd\ufffdK\u001fT \u000b\u0007\ufffd7\ufffd\u0007mY`\u0017\ufffd\ufffdy\u001a\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\u0013\ufffd\/\u0018\ufffd\ufffd\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7002, "service": "weblogic-ssl", "service_label_fr": "WEBLOGIC SSL" }, "attack_vector": "postgres probe \u00b7 via WEBLOGIC SSL:7002 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd`\ufffdZ\ufffdH\ufffd\ufffd1\u030e\ufffd\ufffdAj\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdKT \ufffd7\ufffd*mY`\ufffd\ufffdy\ufffd1\ufffd\u03ae\ufffd\ufffd\t\ufffd\ufffd\/\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7002 \u00b7 WEBLOGIC SSL", "emulator_service": "weblogic-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic_ssl", "service_banner": "honeypot-weblogic-ssl", "service_os": "linux", "dst_port": "7002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }

35.201.190.156

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence