• Event Time: Mar, 01, 2022, 10:10 AM
  • Rule: SOC170 — Passwd Found in Requested URL — Possible LFI Attack
  • Level: Security Analyst
  • Hostname: WebServer1006
  • Destination IP: 172.16.17.13
  • Source IP: 106.55.45.162
  • HTTP Request Method: GET
  • Requested URL: https://172.16.17.13/?file=../../../../etc/passwd
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
  • Device Action: Allowed
  • Alert Trigger Reason: URL Contains passwd

Incident Details:

  • Incident Name: EventID: 120 — [SOC170 — Passwd Found in Requested URL — Possible LFI Attack]
  • Incident Type: Web Attack
  • Created Date: Sep, 09, 2024, 10:16 AM

My Actions Upon Seeing the Alert:

  1. Immediate Concern: Upon seeing the device action marked as "Allowed", my first reaction was to question why the firewall did not block this traffic. Local File Inclusion (LFI) attacks are serious, and such requests should be blocked.
  2. Taking Ownership of the Alert: I quickly assigned the alert to myself and took ownership. The alert was moved to the investigation channel, and I proceeded to create a case to conduct a thorough investigation.

Investigation Playbook Steps:

Step 1: Understand Why the Alert Was Triggered

  • The rule name itself gives an indication of the type of attack: Passwd Found in Requested URL — Possible LFI Attack.
  • The URL contained an attempt to access the server's passwd file via directory traversal (../../../../etc/passwd), which is common in Local File Inclusion attacks.
  • Reason for Trigger: The keyword "passwd" in the URL triggered the rule, signaling an LFI attempt.
  • Issue Identified: The request was allowed, which raises concerns about firewall rule configuration.

Traffic Details:

  • Source IP (106.55.45.162): An external IP from the internet.
  • Destination IP (172.16.17.13): An internal server (Windows Server 2019) owned by webadmin11.

Step 2: Data Collection

  • Ownership of IPs and Devices: The source IP (106.55.45.162) is from an external network, and no correlation was found with company endpoints. The destination IP (172.16.17.13) is the internal server WebServer1006, owned by webadmin11 — Obtained from EndPoint Security tab .
  • Reputation of Source IP: After researching in threat intelligence platforms (VirusTotal, AbuseIPDB, Cisco Talos), I found that the IP had no direct malicious hits, but it was flagged by the community in AbuseIPDB for suspicious activity.

Log Management Findings: When searching for the source IP, I found the following details: Source Port: 49028 Destination Port: 443 (HTTPS) Time: Mar, 01, 2022, 10:10 AM HTTP Response Size: 0 (indicating no data returned) HTTP Response Status: 500 (Internal Server Error, indicating the server did not process the request successfully)

Step 3: Examine HTTP Traffic

  • The HTTP traffic was reviewed for any malicious payloads.
  • Requested URL: Clearly attempting to access /etc/passwd using directory traversal.
  • Conclusion: The URL contains a legitimate LFI attack attempt targeting sensitive files on the server.

Step 4: Is the Traffic Malicious?

  • Yes, this traffic is deemed malicious as it attempted to exploit the LFI vulnerability.

Step 5: Attack Type Identification

  • The attack is classified as Local File Inclusion (LFI), as it involves attempting to include local files (such as /etc/passwd) via a web application.

Step 6: Check if It Is a Planned Test

  • I checked for any indications that this might be part of a penetration test or attack simulation in email security, but found no such evidence.
  • No email notifications or documentation pointed to this being a planned event.

Step 7: Direction of Traffic The traffic direction was Internet → Internal Network, with the source IP being external and targeting the company's internal web server.

Step 8: Was the Attack Successful?

  • No, the attack was not successful.
  • The HTTP response status was 500, indicating an internal server error, and the response size was 0 bytes, confirming that no sensitive data was leaked.

Step 9: Do You Need Tier 2 Escalation?

  • No escalation to Tier 2 was necessary since the attack was unsuccessful, and the internal network remained uncompromised. However, the fact that the firewall permitted the traffic still requires attention.

Step 10: Add Artifacts?

  • Artifact 1: 106.55.45.162 (Source IP) No direct malicious hits on VirusTotal or Cisco Talos, but flagged by the community on AbuseIPDB for suspicious activity.
  • Artifact 2: https://172.16.17.13/?file=../../../../etc/passwd (Requested URL) An LFI attempt, attempting to access the /etc/passwd file via directory traversal.

Analyst Note:

  • The attack failed, but the firewall's allowance of such traffic is a potential security concern. The firewall rules should be reviewed and updated to block directory traversal and LFI attempts at the perimeter.

Final Action:

Close the case and mark it as true positive

Final Thoughts:

While the LFI attack attempt was thwarted by the server, the firewall allowing such traffic in the first place is a vulnerability that needs to be addressed. Tightening the firewall rules, along with enforcing proper input validation on the web application, will significantly reduce the risk of future LFI attempts succeeding.