An alert was triggered when a suspicious web request attempted to access the /etc/passwd file. This type of request is commonly used in Local File Inclusion (LFI) attacks to try to reach sensitive system files.
<-----------The Alert Details----------->
EventID : 120
Event Time : Mar, 01, 2022, 10:10 AM
Rule : SOC170 - Passwd Found in Requested URL - Possible LFI Attack
Hostname : WebServer1006
Destination IP Address : 172.16.17.13
Source IP Address : 106.55.45.162
HTTP Request Method : GET
Requested URL : https://172.16.17.13/?file=../../../../etc/passwd
User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Alert Trigger Reason : URL Contains passwdBy clicking on the alert, we are redirected to the investigation page. From there, we create a case, and once the case is created,
Next, we click the Continue button, which redirects us to Case Management to proceed with the investigation.
In Case Management, we start the playbook, which guides the investigation through predefined response steps.
Now, we proceed with the real investigation and start analyzing the alert in detail.
After starting the playbook, the first question is why the alert was triggered. The alert was generated due to an LFI payload observed in the rule name and requested URL, confirming this as a real attack attempt. Before determining whether the attack was successful, we will collect relevant artifacts.
Here, we will create a table to clearly present all the artifacts and data collected during the investigation.
Evidence Collected:
Source IP Address: 106.55.45.162 (Reported on AbuseIPDB; reported 3,457 times with a 4% confidence of abuse; geolocation: China) Destination IP Address: 172.16.17.13 (LetsDefend intranet) Hostname: WebServer1006 Event Time: Mar 01, 2022, 10:10 AM Attack Type: Local File Inclusion (LFI) LFI Payload: ../../../../etc/passwd Traffic Direction: External to Internal Is Traffic Malicious?: Yes Planned Test: No indication of planned testing
The next step is to verify whether the attack was successful or not.
After analyzing the logs, we determined that the alert was unsuccessful. The server responded with a 500 Internal Server Error and a 0-byte response, indicating that the attempted Local File Inclusion (LFI) did not succeed in accessing sensitive files.
It can be assumed that the source IP may have been blocked, as there are no further logs from this IP following the attempt.
As shown below, the image shows a 500 error and 0-byte response."
Next, the playbook wants to know if this alert should be escalated to Tier 2.
Since the attack was unsuccessful, there's no need to escalate this alert to Tier 2.
Conclusion: This was an attempted Local File Inclusion (LFI) attack using ../../../../etc/passwd. The attack was unsuccessful, as the server returned a 500 Internal Server Error with a 0-byte response.