|
|
TCP |
2087 · CPANEL WHM
|
cpanel-whm
|
Sonde PostgreSQL
postgres probe · via CPANEL WHM:2087 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
CPANEL-WHM
WAF
—
Recommandation
Surveiller
Tags
cpanel_whm_emulated
cpanel_whm_payload
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2087
Chemin / cible
—
Service
CPANEL WHM
Payload
�����������x�u���BUN�Y ���k�*b��o����F��Ƣ[ �?��`m{�����<��U��ڊf�P�O�]���`���+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������x�u���BUN�Y
���k�*b��o����F��Ƣ[ �?��`m{�����<��U��ڊf�P�O�]���`���+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
�����������x�u���BUN�Y ���k�*b��o����F��Ƣ[ �?��`m{�����<��U��ڊf�P�O�]���`���+�/�,�0̨̩� ��� �����������_� ��������������������������� � � ����������� �����������������������������2�����������������������������+��������3���������� ����,ye���L����b#���?�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 1483,
"payload_entropy": 7.7186894895390825,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "cpanel-whm",
"app_proto": "cpanel-whm",
"asn": 14061,
"country": "IN",
"dst_port": 2087,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64",
"event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "cpanel-whm",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "IN",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7045bfb0aed196de669ec578441ae03",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 2087,
"service": "cpanel-whm",
"service_name": "cpanel-whm",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003x\ufffdu\u0014\ufffd\ufffdBUN\ufffdY\n\u001f\ufffd\ufffdk\u0004*b\ufffd\u0018o\ufffd\ufffd\ufffd\u0017F\ufffd\ufffd\u01a2[ \ufffd?\u0010\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\u001a\ufffd\ufffd`\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003x\ufffdu\u0014\ufffd\ufffdBUN\ufffdY\n\u001f\ufffd\ufffdk\u0004*b\ufffd\u0018o\ufffd\ufffd\ufffd\u0017F\ufffd\ufffd\u01a2[ \ufffd?\u0010\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\u001a\ufffd\ufffd`\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\u0004\r\ufffd\ufffd\ufffd\ufffd,ye\ufffd\ufffd\ufffdL\ufffd\u000f\ufffd\u000eb#\ufffd\ufffd\ufffd?\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003x\ufffdu\u0014\ufffd\ufffdBUN\ufffdY\n\u001f\ufffd\ufffdk\u0004*b\ufffd\u0018o\ufffd\ufffd\ufffd\u0017F\ufffd\ufffd\u01a2[ \ufffd?\u0010\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\u001a\ufffd\ufffd`\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "64135d5fd8c3d2cd0b5f50ac2b997b8750104e61",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003x\ufffdu\u0014\ufffd\ufffdBUN\ufffdY\n\u001f\ufffd\ufffdk\u0004*b\ufffd\u0018o\ufffd\ufffd\ufffd\u0017F\ufffd\ufffd\u01a2[ \ufffd?\u0010\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\u001a\ufffd\ufffd`\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"evidence_snippet": "\ufffd\ufffdx\ufffdu\ufffd\ufffdBUN\ufffdY\n\ufffd\ufffdk*b\ufffdo\ufffd\ufffd\ufffdF\ufffd\ufffd\u01a2[ \ufffd?\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\ufffd\ufffd`\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel-whm",
"service_label_fr": "CPANEL WHM",
"dst_port": 2087,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-whm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003x\ufffdu\u0014\ufffd\ufffdBUN\ufffdY\n\u001f\ufffd\ufffdk\u0004*b\ufffd\u0018o\ufffd\ufffd\ufffd\u0017F\ufffd\ufffd\u01a2[ \ufffd?\u0010\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\u001a\ufffd\ufffd`\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdx\ufffdu\ufffd\ufffdBUN\ufffdY\n\ufffd\ufffdk*b\ufffdo\ufffd\ufffd\ufffdF\ufffd\ufffd\u01a2[ \ufffd?\ufffd`m{\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdU\ufffd\ufffd\u068af\ufffdP\ufffdO\ufffd]\ufffd\ufffd`\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_whm",
"service_banner": "honeypot-cpanel-whm",
"service_os": "linux",
"dst_port": "2087"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_whm_emulated",
"cpanel_whm_payload",
"net_cpanel_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2087 · CPANEL WHM
|
cpanel-whm
|
Sonde PostgreSQL
postgres probe · via CPANEL WHM:2087 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
CPANEL-WHM
WAF
—
Recommandation
Surveiller
Tags
cpanel_whm_emulated
cpanel_whm_payload
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2087
Chemin / cible
—
Service
CPANEL WHM
Payload
��������������_N�Z�����c����W����i�\NV���� ������~�?�WM�y�Nia< _��|d���P���+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������_N�Z�����c����W����i�\NV���� ������~�?�WM�y�Nia< _��|d���P���+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
��������������_N�Z�����c����W����i�\NV���� ������~�?�WM�y�Nia< _��|d���P���+�/�,�0̨̩� ��� �����������_� ��������������������������� � � ����������� �����������������������������2�����������������������������+��������3���������g��,)����֨�q\T6T���z1�$
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 1483,
"payload_entropy": 7.7194215488932905,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "cpanel-whm",
"app_proto": "cpanel-whm",
"asn": 14061,
"country": "IN",
"dst_port": 2087,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64",
"event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "cpanel-whm",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "IN",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "66f3e7e6cb5ed88fcd1afa3c6ad0394c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 2087,
"service": "cpanel-whm",
"service_name": "cpanel-whm",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\u0018_N\ufffdZ\ufffd\ufffd\u0000\ufffd\ufffdc\u001a\u0010\u001e\ufffdW\ufffd\ufffd\u0013\ufffdi\u0000\\NV\ufffd\u0016\u0018\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd\u001b~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\u0010\ufffdP\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\u0018_N\ufffdZ\ufffd\ufffd\u0000\ufffd\ufffdc\u001a\u0010\u001e\ufffdW\ufffd\ufffd\u0013\ufffdi\u0000\\NV\ufffd\u0016\u0018\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd\u001b~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\u0010\ufffdP\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffdg\ufffd\ufffd,)\ufffd\ufffd\ufffd\ufffd\u05a8\u0016q\\T6T\ufffd\ufffd\ufffdz1\ufffd$",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\u0018_N\ufffdZ\ufffd\ufffd\u0000\ufffd\ufffdc\u001a\u0010\u001e\ufffdW\ufffd\ufffd\u0013\ufffdi\u0000\\NV\ufffd\u0016\u0018\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd\u001b~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\u0010\ufffdP\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d8e13ca02615ecdedaf01e64d75f1c361349293",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\u0018_N\ufffdZ\ufffd\ufffd\u0000\ufffd\ufffdc\u001a\u0010\u001e\ufffdW\ufffd\ufffd\u0013\ufffdi\u0000\\NV\ufffd\u0016\u0018\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd\u001b~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\u0010\ufffdP\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_N\ufffdZ\ufffd\ufffd\ufffd\ufffdc\ufffdW\ufffd\ufffd\ufffdi\\NV\ufffd\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\ufffdP\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel-whm",
"service_label_fr": "CPANEL WHM",
"dst_port": 2087,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-whm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\u0018_N\ufffdZ\ufffd\ufffd\u0000\ufffd\ufffdc\u001a\u0010\u001e\ufffdW\ufffd\ufffd\u0013\ufffdi\u0000\\NV\ufffd\u0016\u0018\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd\u001b~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\u0010\ufffdP\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_N\ufffdZ\ufffd\ufffd\ufffd\ufffdc\ufffdW\ufffd\ufffd\ufffdi\\NV\ufffd\ufffd \ufffd\ufffd\ufffd\u242b\ufffd\ufffd~\ufffd?\ufffdWM\ufffdy\ufffdNia<\t_\ufffd\ufffd|d\ufffd\ufffdP\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_whm",
"service_banner": "honeypot-cpanel-whm",
"service_os": "linux",
"dst_port": "2087"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_whm_emulated",
"cpanel_whm_payload",
"net_cpanel_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|