Méthode
—
Port
9022
Chemin / cible
—
Service
Sonde registre (Nexus/Artifactory)
Pourquoi cette classification : Type « docker_registry_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742072656769737472795f70726f626520726561647920706f72743d393032320d0a",
"emulator_response_len": 45,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "China Mobile communications corporation",
"service": "registry-probe",
"app_proto": "registry-probe",
"asn": 56044,
"country": "CN",
"dst_port": 9022,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 24,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "bc020e1be37d443650ab1c6a84d760c608c3b52a",
"event_fingerprint": "40a95196e7afd453ef4a7bfce342cfbe8d816115",
"classification_reason": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "registry-probe",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 56044,
"org": "China Mobile communications corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "2e1ea7d0b20faa2966920ecaa9240c22"
},
"target_context": {
"dst_port": 9022,
"service": "registry-probe",
"service_name": "registry-probe",
"risk_score": 24
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"cloud_infra_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4248089a087bc8df92a2764664378781cfb55afe",
"protocol_details": {
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"attack_vector": "docker registry probe \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (sonde \/ probe)",
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)",
"dst_port": 9022,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-registry-probe",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"attack_vector": "docker registry probe \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "registry_probe",
"service_banner": "honeypot-registry-probe",
"service_os": "linux",
"dst_port": "9022"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_docker_registry_probe",
"registry_probe_emulated"
]
}
|
Méthode
—
Port
10022
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "China Mobile communications corporation",
"service": null,
"app_proto": null,
"asn": 56044,
"country": "CN",
"dst_port": 10022,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "f75205c1cc321c09bcf1cde6257745541d39a3d0",
"event_fingerprint": "b60f332155355ea1648ffbc31542dea9c131dafb",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 56044,
"org": "China Mobile communications corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10022,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d37546d7a2b26a92fb05923512f33e11bcbdb0de",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10022"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|