MIRE/C³: Multi-layer Intrusion Response Engine

MIRE Attack Categories

MIRE/C³ breaks down attacks into 50 categories

The breakdown of patterns that MIRE/C³ responds to are detailed below.  Some are more popular than other ones - visit the breakdown page to see which attacks are being targeted by the bad guys.

In alphabetical order:

  • Admin Panel Scan

    What: Admin login pages and panels
    Why: Weak passwords or default credentials (admin/admin)
    Example: /admin/, /phpmyadmin/, /console/
    Danger Level: 🟠 HIGH - Brute force target

  • API Documentation

    What: Swagger, OpenAPI, API documentation endpoints
    Why: Reveals all API endpoints, parameters, and authentication methods
    Example: /v2/api-docs, /swagger-ui.html, /openapi.json
    Danger Level: 🟠 HIGH - Complete API map for attackers

  • API Probes

    What: API endpoints like /actuator/, /graphql, /api/
    Why: Looking for exposed APIs, especially Spring Boot Actuator (leaks environment vars)
    Example: /actuator/env, /graphql, /api/users
    Danger Level: 🟠 HIGH - Can expose system info and data

  • App Configs

    What: Application-specific config files
    Why: Framework settings, database connections
    Example: /package.json, /composer.json, /appsettings.json
    Danger Level: 🟡 MEDIUM - Dependency info + sometimes credentials

  • Archive Theft

    What: .zip, .tar.gz, backup archives
    Why: Developers leave backups accessible (backup.zip, db.tar.gz)
    Example: /backup.zip, /old.tar.gz, /archive/
    Danger Level: 🔴 CRITICAL - Often contains entire codebase + DB dumps

  • Atlassian Probes

    What: Atlassian Jira/Confluence login and exploit attempts
    Why: CVE exploits (CVE-2021-26084) or default credentials
    Example: /login.action, /s/*/META-INF/maven/
    Danger Level: 🔴 CRITICAL - Known RCE vulnerabilities

  • Backup Files

    What: .bak, .old, .backup files
    Why: Editors create these automatically (config.php.bak)
    Example: /config.php.bak, /database.yml.old
    Danger Level: 🟠 HIGH - Often contain unredacted secrets

  • Cache/Storage

    What: Cache directories and temp storage
    Why: Session files, uploaded files, cached credentials
    Example: /cache/, /storage/, /.cache/, Thumbs.db
    Danger Level: 🟡 MEDIUM - Depends on contents

  • Certificates

    What: SSL/TLS certificates and private keys
    Why: Private keys allow man-in-the-middle attacks
    Example: /certificate.pem, /privkey.key, /server.crt
    Danger Level: 🔴 CRITICAL - Complete SSL compromise

  • Cloud Configs

    What: Cloud provider configuration directories
    Why: Cloud credentials and access keys
    Example: /.aws/, /.azure/, /.kube/, gcloud/
    Danger Level: 🔴 CRITICAL - Full cloud infrastructure access

  • Cloud Secrets

    What: AWS, Azure, GCP credentials
    Why: Cloud account takeover
    Example: /aws-config.json, /.aws/credentials, /s3.js
    Danger Level: 🔴 CRITICAL - Full cloud access

  • CMS Generic

    What: Joomla, Drupal, Magento, other CMS platforms
    Why: Known vulnerabilities in popular CMS systems
    Example: /joomla/, /drupal/, /typo3/, /administrator/
    Danger Level: 🟠 HIGH - Large attack surface

  • Common Files

    What: Standard web files expected on all sites
    Why: Fingerprinting and reconnaissance
    Example: /favicon.ico, /apple-touch-icon, /browserconfig.xml
    Danger Level: 🟢 LOW - Mostly harmless probing

  • Configs & Secrets

    What: .env files, .ini, .yml, configuration files with credentials
    Why: These contain database passwords, API keys, JWT secrets, AWS credentials
    Example: /.env, /config.yml, /credentials.json
    Danger Level: 🔴 CRITICAL - Direct access to secrets

  • CVE Exploits

    What: Specific CVE exploit attempts (CGI-bin, known vulnerabilities)
    Why: Automated exploitation of published vulnerabilities
    Example: /cgi-bin/**, /tmui/login.jsp, /solr/, /jenkins/
    Danger Level: 🔴 CRITICAL - Active exploitation

  • Database Files

    What: SQL dumps and database exports
    Why: Direct database downloads
    Example: /dump.sql, /database.sql, /db.sql
    Danger Level: 🔴 CRITICAL - Entire database

  • Database Probes

    What: CouchDB/NoSQL database APIs
    Why: /_all_dbs lists all databases, often exposed with no auth
    Example: /_all_dbs, /_membership, /_dbs_info
    Danger Level: 🔴 CRITICAL - Direct database access

  • Development Files

    What: Dev environment configs and build tools
    Why: No security in dev mode
    Example: /.env.development, /phpunit.xml, .travis.yml, gulpfile.js
    Danger Level: 🟠 HIGH - Debug mode = secrets exposed

  • DLP/Verify Probes

    What: Data loss prevention and blog verification endpoints
    Why: Testing for security tools or claiming blogs
    Example: /data-loss-prevention, /blog-verify
    Danger Level: 🟢 LOW - Reconnaissance

  • Docker/K8s

    What: Docker and Kubernetes configuration files
    Why: Container orchestration secrets and infrastructure details
    Example: /docker-compose.yml, /Dockerfile, /.dockerignore, /kubernetes/
    Danger Level: 🔴 CRITICAL - Infrastructure secrets

  • Exchange Exploits

    What: Microsoft Exchange ProxyShell/ProxyLogon CVEs
    Why: Zero-day exploits for email server takeover
    Example: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
    Danger Level: 🔴 CRITICAL - RCE exploit

  • Executable Probes

    What: .exe, .action files and command executables
    Why: Windows servers or Atlassian/Java apps
    Example: /cmd.exe, /shell.exe, /login.action
    Danger Level: 🟠 HIGH - RCE attempts

  • Exploits

    What: Directory traversal, command injection attempts
    Why: RCE and arbitrary file read
    Example: /../../../etc/passwd, ?cmd=whoami, %00 null bytes
    Danger Level: 🔴 CRITICAL - Active exploitation

  • Framework Exploits

    What: Framework-specific directories (Laravel, Django, Rails, Struts)
    Why: Framework vulnerabilities and default paths
    Example: /laravel/, /symfony/, /struts/, /spring/
    Danger Level: 🟠 HIGH - Known framework exploits

  • Generic PHP Files

    What: Random PHP files that shouldn't exist
    Why: Probing for forgotten test files or shells
    Example: /1234.php, /test123.php, /backup.php
    Danger Level: 🟡 MEDIUM - Opportunistic

  • IDE Configs

    What: VSCode, IntelliJ configuration directories
    Why: Contain workspace settings, sometimes DB connection strings
    Example: /.vscode/, /.idea/, .sublime-project
    Danger Level: 🟡 MEDIUM - Accidental leaks

  • JSON Config Files

    What: JSON configuration files
    Why: Modern apps store everything in JSON (credentials, API keys, settings)
    Example: /config.json, /appsettings.json, /settings.json, /oauth.json
    Danger Level: 🟠 HIGH - Structured secrets

  • JS Config Files

    What: JavaScript configuration files
    Why: Contain API endpoints, feature flags, sometimes hardcoded tokens
    Example: /config.js, /env.js, /webpack.config.js, /app.js
    Danger Level: 🟠 HIGH - Often has frontend secrets

  • Laravel Telescope

    What: Laravel's debugging tool
    Why: Shows all requests, queries, environment variables, Redis data
    Example: /telescope/requests
    Danger Level: 🔴 CRITICAL - Complete system exposure if left enabled

  • Log Files

    What: Application and error logs
    Why: Contain stack traces, database queries, API keys in errors
    Example: /error.log, /debug.log, /laravel.log, /access_log
    Danger Level: 🟠 HIGH - Accidental credential leaks

  • Other

    What: Uncategorized/unique probes
    Why: Experimental attacks, custom exploits, or just noise
    Danger Level: ❓ UNKNOWN - Needs analysis

  • Payment/Stripe

    What: Payment processing configs and Stripe keys
    Why: Steal API keys to process fraudulent payments
    Example: /stripe.json, /payment/config.js, /checkout/
    Danger Level: 🔴 CRITICAL - Financial fraud

  • PHP Info Probes

    What: phpinfo() output pages
    Why: Shows PHP version, modules, environment variables, paths
    Example: /phpinfo.php, /info.php
    Danger Level: 🟠 HIGH - Complete server fingerprint

  • Random Probes

    What: Random alphanumeric strings or long numbers
    Why: Automated scanners testing for hidden endpoints
    Example: /abc123def456ghi789, /1234567890
    Danger Level: 🟢 LOW - Usually just noise

  • Robots/Sitemap

    What: SEO and crawler files
    Why: Discover site structure and hidden paths
    Example: /robots.txt, /sitemap.xml
    Danger Level: 🟢 LOW - Legitimate reconnaissance

  • Security Files

    What: Web server security configuration files
    Why: Access controls and authentication rules
    Example: /.htaccess, /.htpasswd, /web.config, /security.txt
    Danger Level: 🟠 HIGH - Reveals security mechanisms

  • Server Probes

    What: Apache/Nginx server status pages
    Why: Shows active connections, server load, internal IPs
    Example: /server-status, /server-info, /server.js
    Danger Level: 🟡 MEDIUM - Reconnaissance info

  • Source Directories

    What: Source code folders (/src/, /app/)
    Why: Misconfigured web servers serving source code
    Example: /src/, /app/, /public/, /backend/, /frontend/
    Danger Level: 🟠 HIGH - Full code disclosure

  • Static Assets

    What: CSS, images, fonts, and other static files
    Why: Fingerprinting frameworks and tech stack
    Example: .css, .jpg, .png, .woff, /images/
    Danger Level: 🟢 LOW - Usually harmless

  • Test Paths

    What: Test directories and files
    Why: Test environments often have no security
    Example: /test/, /testing/, /tests/, setupTests.js
    Danger Level: 🟡 MEDIUM - Easier targets

  • Upload Paths

    What: File upload directories
    Why: Unrestricted file uploads can lead to webshells
    Example: /upload/, /uploads/, /files/, /attachments/
    Danger Level: 🟠 HIGH - Potential shell upload point

  • Utility Paths

    What: Helper function and utility directories
    Why: Often contain database helpers or internal tools
    Example: /helpers/, /utils/, /lib/, /functions/
    Danger Level: 🟡 MEDIUM - Internal functionality exposure

  • Vendor Paths

    What: Third-party dependency directories
    Why: Outdated libraries with known vulnerabilities
    Example: /vendor/, /node_modules/, /bower_components/
    Danger Level: 🟡 MEDIUM - Dependency vulnerabilities

  • Version Control

    What: .git/, .svn/ directories
    Why: Download entire source code history + secrets from commits
    Example: /.git/config, /.svn/entries, /.hg/
    Danger Level: 🔴 CRITICAL - Complete source code leak

  • Vite Probes

    What: Vite development server endpoints
    Why: Dev servers expose environment variables
    Example: /@vite/env
    Danger Level: 🟠 HIGH - Dev-only, but leaks env vars

  • Web Roots

    What: Default homepage and index files
    Why: Site fingerprinting and initial recon
    Example: /, /index.html, /index.php, /default.aspx
    Danger Level: 🟢 LOW - Standard scanning

  • Web Shells

    What: PHP shells used for remote code execution
    Why: If found, attacker already owns the server
    Example: /shell.php, /c99.php, /wso.php
    Danger Level: 🔴 CRITICAL - Indicates compromise or scanning for past breaches

  • Well-Known URIs

    What: IETF standard paths for service discovery
    Why: Looking for payment handlers, cryptocurrency wallets
    Example: /.well-known/farcaster.json, /.well-known/security.txt
    Danger Level: 🟢 LOW - Mostly legitimate scanning

  • Wordpress/CMS

    What: WordPress core files and paths
    Why: 43% of websites use WordPress - huge attack surface
    Example: /wp-login.php, /wp-admin/, /xmlrpc.php
    Danger Level: 🟠 HIGH - Default install = easy target

  • WP Variants

    What: Alternative WordPress login paths
    Why: Custom login URLs or renamed files
    Example: /wp-signin.php, /wp.php, /wp-json/oembed
    Danger Level: 🟡 MEDIUM - WordPress-specific