A few days ago, while checking logs from a public web server, I noticed something odd. The server had quietly reached out to an external domain that didn't look normal. No alerts popped up. No obvious signs of attack. Just a small, silent request that didn't belong.

That tiny clue led me to a much bigger discovery.

As I explored the logs further, I found that someone was being probed with different techniques to see what could be accessed. They used methods like SSRF, SQL injection, remote code execution (RCE), and directory traversal. It wasn't just random scanning. It was a planned effort to find weak spots and see what they could exploit.

In this blog, I'll share what I found, how the attack unfolded, and what defenders can learn from it. Whether you work in a SOC, build detection rules, or just want to understand how real-world attacks happen, this post breaks it down in a clear and practical way.

None
How one clue led to uncovering a multi-vector attack

Reconnaissance in Progress: What I Found in the Inbound Traffic Stream:

During a routine threat hunting exercise, I detected a surge of suspicious inbound traffic targeting one of our public-facing web servers. The requests originated from a remote IP address and were directed at multiple endpoints in rapid succession. Initially, it resembled a standard port scan, but the volume, timing, and payload structure hinted at something far more deliberate.

Upon closer inspection, it became evident that the attacker was conducting a coordinated reconnaissance campaign. The traffic included a variety of probing techniques such as SQL injection attempts, remote code execution (RCE) payloads, and directory traversal exploits. Each request was meticulously crafted to test for specific vulnerabilities, and the entire sequence unfolded within a narrow time window, strong indicators of an automated scanning tool or script in action.

This anomalous activity triggered immediate escalation and deeper forensic analysis. The goal is to determine the scope of the reconnaissance, assess potential exposure, and strengthen our security measures before any exploitation could occur.

Attack Techniques Identified:

As the investigation progressed, it became clear that the inbound traffic wasn't random it was a calculated attempt to uncover weaknesses in our infrastructure. The attacker employed a range of techniques commonly seen in reconnaissance and exploitation campaigns:

  • SQL Injection Attempts:

Crafted queries were sent to endpoints likely to interact with databases, aiming to manipulate SQL logic and extract sensitive data. These payloads included classic patterns like ' OR 1=1 — and blind injection tests.

  • Remote Code Execution (RCE):

Probes Requests contained suspicious parameters and headers designed to execute arbitrary commands on the server. These often-targeted endpoints with known vulnerabilities in outdated plugins or misconfigured services.

  • Directory Traversal:

The attacker attempted to access restricted files by injecting path traversal sequences such as ../../etc/passwd. This technique is used to bypass access controls and read sensitive files from the server.

  • Server-Side Request Forgery (SSRF):

While the attack itself is inbound, the key aspect of SSRF is that it tricks the server — receiving the inbound request — into making an outbound request to an external system controlled by the attacker. Although the initial attack originates from the outside, the core vulnerability exploited by SSRF involves outbound traffic initiated by the server itself. This traffic is typically unauthorized and could lead to data exfiltration or access to internal resources.

  • Automated Scanning Behavior:

The speed and precision of the requests indicated the use of automated tools — likely reconnaissance frameworks or custom scripts. The attacker cycled through payloads methodically, suggesting prior knowledge of common vulnerabilities.

Each technique was aimed at probing for specific weaknesses, and their combination painted a clear picture of a well-orchestrated reconnaissance effort. This phase was not about breaching the system — it was about mapping it.

Coordinated Reconnaissance: Behavioral Analysis

The traffic wasn't random it showed signs of a planned and automated reconnaissance campaign. The attacker moved quickly across multiple endpoints, using different techniques like SQL injection, RCE, SSRF, and directory traversal to test for weaknesses.

Key patterns included:

  • Fast, repeated requests, pointing to automation.
  • Switching payloads, to cover a range of vulnerabilities.
  • External callback domains (e.g., oast.pro, oast.live) used to confirm SSRF attempts.
  • Known malicious IP, previously associated with scanning activity detected just days earlier, indicating ongoing reconnaissance behavior.
  • This behavior suggests the attacker was mapping the system for future exploitation not just probing blindly.

SOC Hypothesis and Forensic Insights:

In defensive security operations, our first responsibility is to form hypotheses based on observed behavior not to jump to conclusions. This approach allows us to investigate with precision, validate assumptions, and avoid misinterpretation of complex threat patterns.

Our initial analysis suggests the attacker was testing for SSRF by sending crafted URLs to exploit server misconfigurations. The default IIS page response hints at exposed services, and the source IP previously linked to scanning activity points to a broader automated campaign. These findings help guide containment and further investigation.

Mitigation & Recommendations:

  • Patch all exposed vulnerabilities and misconfigurations.
  • Apply strict input validation across endpoints.
  • Use URL whitelisting to prevent SSRF attempts.
  • Harden server settings and remove default pages.
  • Limit file access and sanitize path inputs to block traversal.
  • Monitor for automation patterns and rate-limit suspicious traffic.
  • Block known malicious IPs and callback domains.
  • Share incident artifacts to support closure and future defense.

Conclusion: Lessons Learned

This incident highlighted how modern reconnaissance isn't just noisy scanning it's calculated, multi-vector probing. From SQL injection to SSRF, each technique was part of a broader strategy to uncover weaknesses. Early detection, hypothesis-driven analysis, and swift mitigation proved essential. The lesson is clear: staying ahead means thinking like an attacker, responding like a strategist, and defending like a team.