Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

(Writeup) LetsDefend EventID: 118 - [SOC168 - Whoami Command Detected in Request Body]

LetsDefend AbuseIPDB Command_Injection HTTP SIEM SOC Talos_Intelligence True_Positive Type_Web_Attack VirusTotal Web_Shell Writeup
Table of Contents

Welcome
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup documents a SOC alert investigation involving command injection.

Alert Details
#

Key Value
EventID: 118
Event Time: Feb, 28, 2022, 04:12 AM
Rule: SOC168 - Whoami Command Detected in Request Body
Level: Security Analyst
Hostname: WebServer1004
Destination IP Address: 172.16.17.16
Source IP Address: 61.177.172.87
HTTP Request Method: POST
Requested URL: https://172.16.17.16/video/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Alert Trigger Reason: Request Body Contains whoami string
Device Action: Allowed

Initial Triage
#

Actions:
#

  • Copied alert details to notes
  • Created case
  • Began analysis

Thoughts:
#

“A POST on /video/ containing whoami? That’s suspicious… Time to investigate!”

Analysis
#

Tools Used:
#

IP:
#

Key Value
VirusTotal: 3/93 Malicious
Talos Intelligence: Neutral
AbuseIPDB: 86,782 Reports (Hacking)

Thoughts:
#

“That is an impressive amount of reports… Also, it’s not good for the chance of it being a false positive.”

Log Analysis
#

Key Value
Request URL: https://172.16.17.16/video/
Request Method: POST
Device Action: Permitted
HTTP Response Size: 1021
HTTP Response Status: 200
POST Parameters: ?c=ls
Key Value
Request URL: https://172.16.17.16/video/
Request Method: POST
Device Action: Permitted
HTTP Response Size: 912
HTTP Response Status: 200
POST Parameters: ?c=whoami
Key Value
Request URL: https://172.16.17.16/video/
Request Method: POST
Device Action: Permitted
HTTP Response Size: 910
HTTP Response Status: 200
POST Parameters: ?c=uname
Key Value
Request URL: https://172.16.17.16/video/
Request Method: POST
Device Action: Permitted
HTTP Response Size: 1321
HTTP Response Status: 200
POST Parameters: ?c=cat /etc/passwd
Key Value
Request URL: https://172.16.17.16/video/
Request Method: POST
Device Action: Permitted
HTTP Response Size: 1501
HTTP Response Status: 200
POST Parameters: ?c=cat /etc/shadow

Thoughts:
#

“Oh… oh no. /video/ has a web shell. The c parameter is being taken and executed. We can tell because the HTTP Response Size varies depending on the command executed.”

Action:
#

  • Containment of WebServer1004 endpoint initiated.

Email
#

Thoughts:
#

“No email stating there is a penetration test going on. Didn’t think there would be, but I had to check regardless.”

Endpoint Status
#

Key Value
Execution Confirmed: Yes
Quarantine Status: Not Quarantined
Infection Status: Infected
EDR Agent: Active
Containment: Initiated

Findings:
#

Key Value
Reputation Results: Malicious
Endpoint Execution: True
Confidence Level: High

Thoughts:
#

“This case is going to have to be escalated… I don’t have logs showing how that webshell got there.”

Determination
#

Verdict:
#

  • True Positive
  • Escalate Case

Reasoning:
#

  • SIEM logs imply the attacker gained execution via a webshell on /video/ using the POST parameter c.
  • Commend execution believed to have succeeded based on the HTTP response size variation based on the command sent.
  • Unknown how the webshell appeared on the endpoint.

Playbook
#

Questions:
#

Question Answer
Is Traffic Malicious? Malicious
What Is The Attack Type? Command Injection
Check If It Is a Planned Test Not Planned
What Is the Direction of Traffic? Internet → Company Network
Was the Attack Successful? Yes
Do You Need Tier 2 Escalation? Yes

Artifacts:
#

Value Comment Type
61.177.172.87 Attacker IP IP Address

Notes:
#

Verdict: True Positive. Containment Initiated. Escalation Requested.
Summary: Attacker sent command injection via c parameter to /video/, getting command execution. No logs on when the webshell appeared. Containment Initiated.
Validated via: SIEM logs and EDR Agent.
Actions taken: Containment Initiated.

Final Thoughts:
#

“There was no normal traffic from that IP beforehand either. Not even discovering /videos/ which makes me worried… How did they know it was there, and that you could execute commands on the c parameter? Did they put it there or did someone else?”

Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+