Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving an attempted local file inclusion with directory traversal.
Alert Details #
| Key: | Value |
|---|---|
| EventID: | 120 |
| Event Time: | Mar, 01, 2022, 10:10 AM |
| Rule: | SOC170 - Passwd Found in Requested URL - Possible LFI Attack |
| Level: | Security Analyst |
| Hostname: | WebServer1006 |
| Destination IP Address: | 172.16.17.13 |
| Source IP Address: | 106.55.45.162 |
| HTTP Request Method: | GET |
| Requested URL: | https://172.16.17.13/?file=../../../../etc/passwd |
| User-Agent: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) |
| Alert Trigger Reason: | URL Contains passwd |
| Device Action: | Allowed |
Initial Triage #
Actions: #
- Copied alert details to notes
- Created case
- Began analysis
Thoughts #
“That URL is quite blatant in being LFI. I wish the alert included HTTP response codes. Gotta look at the SIEM logs.”
Log Analysis #
| Key: | Value |
|---|---|
| type: | Firewall |
| source_address: | 106.55.45.162 |
| source_port: | 49028 |
| destination_address: | 172.16.17.13 |
| destination_port: | 443 |
| time: | Mar, 01, 2022, 10:10 AM |
| Request URL: | https://172.16.17.13/?file=../../../../etc/passwd |
| User-Agent: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1... |
| Request Method: | GET |
| Device Action: | Permitted |
| HTTP Response Size: | 0 |
| HTTP Response Status: | 500 |
Thoughts #
“They got an HTTP 500 response status so the attempt failed. Only the one log, which is very curious.”
Email #
Thoughts #
“No email indicating this is an authorized penetration test.”
Determination #
Verdict #
- True Positive
- Close Case
Reasoning #
- Attacker did attempt to do LFI on
https://172.16.17.13/GETmethodfileparameter. - Server responded with a size 0 HTTP 500 Internal Server Error; thwarting the attempt.
Playbook #
Questions #
| Questions | Answers |
|---|---|
| Is Traffic Malicious? | Malicious |
| What Is The Attack Type? | LFI & RFI |
| Check If It Is a Planned Test | Not Planned |
| What Is the Direction of Traffic? | Internet → Company Network |
| Was the Attack Successful? | No |
| Do You Need Tier 2 Escalation? | No |
Artifacts #
Value |
Comment | Type |
|---|---|---|
106.55.45.162 |
Attacker IP | IP Address |
Notes #
Verdict: True Positive. Blocked.
Summary: Verified as LFI attempt. Was refused by the endpoint with a HTTP 500 response.
Validated via: SIEM logs.
Actions taken: None.
Final Thoughts #
“Clean cut. Odd that the attacker didn’t do reconnaissance beforehand.”
