Welcome
#
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving a web attack; specifically a SQL injection attempt.
Alert Details
#
| Key |
Value |
| EventID: |
115 |
| Event Time: |
Feb, 25, 2022, 11:34 AM |
| Rule: |
SOC165 - Possible SQL Injection Payload Detected |
| Level: |
Security Analyst |
| Hostname: |
WebServer1001 |
| Destination IP Address: |
172.16.17.18 |
| Source IP Address: |
167.99.169.17 |
| HTTP Request Method: |
GET |
| Requested URL: |
https://172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20- |
| User-Agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 |
| Alert Trigger Reason: |
Requested URL Contains OR 1 = 1 |
| Device Action: |
Allowed |
Initial Triage
#
Actions:
#
- Copied alert details to notes
- Created case
- Began analysis
Thoughts:
#
“That’s an obvious SQLI attempt… it was allowed?”
Analysis
#
Tools Used
#
IP
#
Thoughts:
#
“That… is an impressive amount of AbuseIPDB reports.”
SIEM Logs
#
(Basic logs for writeup brevity)
| Key |
Value |
| Request URL: |
https://172.16.17.18/ |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size:: |
3547 |
| HTTP Response Status: |
200 |
| Key |
Value |
| Request URL: |
https://172.16.17.18/search/?q=%27%20OR%20%271 |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size:: |
948 |
| HTTP Response Status: |
500 |
| Key |
Value |
| Request URL: |
https://172.16.17.18/search/?q=%27 |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size: |
948 |
| HTTP Response Status: |
500 |
| Key |
Value |
| Request URL: |
https://172.16.17.18/search/?q=%27%20OR%20%27x%27%3D%27x |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size: |
948 |
| HTTP Response Status: |
500 |
| Key |
Value |
| Request URL: |
https://172.16.17.18/search/?q=1%27%20ORDER%20BY%203--%2B |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size: |
948 |
| HTTP Response Status: |
500 |
| Key |
Value |
| Request URL: |
https://172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20- |
| Request Method: |
GET |
| Device Action: |
Permitted |
| HTTP Response Size: |
948 |
| HTTP Response Status: |
500 |
URL Decode
#
| Original: |
Decoded with CyberChef: |
%27%20OR%20%271: |
' OR '1 |
%27: |
' |
%27%20OR%20%27x%27%3D%27x: |
' OR 'x'='x |
1%27%20ORDER%20BY%203--%2B: |
1' ORDER BY 3--+ |
%22%20OR%201%20%3D%201%20--%20-: |
" OR 1 = 1 -- - |
Thoughts:
#
“All attempts at SQL Injection got an 500 Internal Server Error back with the same length. (Would have preferred a 400 family error.)”
Email Logs
#
Thoughts:
#
“I didn’t think it would be an authorized penetration test with the IP reputation of the source address, but I had to check anyways. No emails in the system authorizing a pentest on that host during this time.”
Endpoint
#
Thoughts:
#
“Confirmed with EDR Agent. Nothing of note. Endpoint is clean. No action needed.”
Findings
#
| Key |
Value |
| Source Reputation: |
Malicious |
| Endpoint Exploitation: |
False |
| Confidence: |
High |
Thoughts:
#
“Attacker wildly threw the most basic of SQL injection attacks at the server with no success.”
Determination
#
Verdict:
#
Reasoning:
#
- There was a SQL Injection attack.
- The attack was unsuccessful.
Playbook
#
Questions:
#
| Question |
Answer |
| Is Traffic Malicious? |
Malicious |
| What Is The Attack Type? |
SQL Injection |
| Check If It Is a Planned Test. |
Not Planned |
| What Is the Direction of Traffic? |
Internet → Company Network |
| Was the Attack Successful? |
No |
| Do You Need Tier 2 Escalation? |
No |
Artifacts:
#
| Value |
Comment |
Type |
167.99.169.17 |
Attacker IP |
IP Address |
Notes:
#
Verdict: True Positive. Blocked.
Summary: Attacker sent SQL Injections at endpoint. Endpoint responded with 500 “internal server error” to each attempt.
Validated via: SIEM logs
Actions taken: None.
Finishing Thoughts
#
“If there isn’t a WAF between that server and the outside world, there should be.”
