cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Sensitive file probing signal illustration
Annotator sfp

Sensitive file probing

Requests target commonly sensitive files, configs, backups, or administrative resources.

Attack family · Sensitive file exposure and leak hunting Phase · Reconnaissance and loot discovery Risk · High
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Sensitive file paths, configs, backups, and Git metadata
  • Traversal-style file access attempts
  • Direct payload hints such as `/etc/passwd` reads and command-style file parameters
Logic
  • Strong hits target `.env`, SSH keys, OS secrets, CMS configs, and exposed admin artifacts.
  • Traversal and sensitive-file hints are deduplicated so the strongest rule wins.
  • Weak file/path parameters only matter when stronger probing context is present.
Attack Family
Sensitive file exposure and leak hunting
Phase · Reconnaissance and loot discovery Risk · High
Requests for environment files, backups, Git metadata, and hidden configs are how attackers look for accidental exposure that grants instant leverage without needing an exploit.
Damage Patterns
  • A single exposed config or backup can hand over credentials, secrets, infrastructure layout, or deployment history.
  • This family regularly turns misconfiguration into immediate data loss or privileged follow-on access.
Incident Lore
  • Some of the fastest compromises come from leaked `.env`, repository metadata, backup archives, and admin artifacts rather than sophisticated exploitation.
  • Operators often discover these incidents late because the requests looked like simple 404 hunting until one path finally existed.
How To Read It
This is an opportunistic recon and exposure probe signal. It explains why the request looked like a hunt for accidental leaks.
Defender Takeaway
Treat sensitive-file probing as treasure hunting. The attacker is looking for the one mistake that collapses the rest of the defense stack.
Catalog Definition
Flags attempts to access files and paths that are commonly sensitive or frequently exposed by mistake (configuration files, environment files, backups, admin panels, hidden resources). This annotator is especially useful for explaining opportunistic scanning behavior. In reports, show targeted resources grouped by category and the observed outcomes (404/403/200) without implying compromise.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
58741
Latest sample
Apr 13, 2026 • 00:55
Top rules
sfp:file:env · 4 sfp:file:git_metadata · 4 sfp:file:app_config · 2
Top requester orgs
Daou · 2 UltaHost Inc · 2 DigitalOcean, LLC · 2
Severity mix
40 · 4 24 · 4 36 · 2
Method mix
GET · 10
GET 400 36
Apr 13, 2026 • 00:55
/admin/config.php
Probe for CMS/app configuration file
IP 27.102.76.8 Subnet 27.102.76.0/24 Org Daou Country South Korea Rule sfp:file:app_config
GET 404 40
Apr 13, 2026 • 00:46
/symfony/.env.local
Probe for environment/secret file (.env)
IP 105.172.55.3 Subnet 105.172.55.0/24 Org UnitelNetworkPool3 Country Angola Rule sfp:file:env
GET 301 36
Apr 13, 2026 • 00:42
/admin/config.php
Probe for CMS/app configuration file
IP 27.102.76.8 Subnet 27.102.76.0/24 Org Daou Country South Korea Rule sfp:file:app_config
GET 404 40
Apr 13, 2026 • 00:36
/dev_env/.env
Probe for environment/secret file (.env)
IP 59.152.97.130 Subnet 59.152.97.0/24 Country Bangladesh Rule sfp:file:env
GET 301 40
Apr 13, 2026 • 00:36
/dev_env/.env
Probe for environment/secret file (.env)
IP 14.163.99.178 Subnet 14.163.99.0/24 Org VietNam Post and Telecom Corporation Country Vietnam Rule sfp:file:env
GET 404 24
Apr 13, 2026 • 00:31
/.git/config
Probe for Git metadata
IP 84.201.14.163 Subnet 84.201.14.0/24 Org UltaHost Inc Country Germany Rule sfp:file:git_metadata
GET 404 24
Apr 13, 2026 • 00:31
/.git/config
Probe for Git metadata
IP 84.201.14.163 Subnet 84.201.14.0/24 Org UltaHost Inc Country Germany Rule sfp:file:git_metadata
GET 404 24
Apr 13, 2026 • 00:14
/.git/config
Probe for Git metadata
IP 159.89.53.247 Subnet 159.89.53.0/24 Org DigitalOcean, LLC Country United States Rule sfp:file:git_metadata
GET 301 24
Apr 13, 2026 • 00:14
/.git/config
Probe for Git metadata
IP 159.89.53.247 Subnet 159.89.53.0/24 Org DigitalOcean, LLC Country United States Rule sfp:file:git_metadata
GET 301 40
Apr 12, 2026 • 23:53
/.env
Probe for environment/secret file (.env)
IP 78.153.140.147 Subnet 78.153.140.0/24 Org HOSTGLOBAL.PLUS LTD Country United Kingdom Rule sfp:file:env