• Details
• playbook
  • Is Traffic Malicious?
  • What Is The Attack Type?
  • Check If It Is a Planned Test
  • What Is the Direction of Traffic?
  • Was the Attack Successful?
  • Add Artifacts
  • Do You Need Tier 2 Escalation?
• End

Details

EventID : 115
Event Time : Feb, 25, 2022, 11:34 AM
Rule : SOC165 - Possible SQL Injection Payload Detected
Level : Security Analyst
Hostname : WebServer1001
Destination IP Address : 172.16.17.18
Source IP Address : 167.99.169.17
HTTP Request Method : GET
Requested URL : https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20-
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Alert Trigger Reason : Requested URL Contains OR 1 = 1
Device Action : Allowed

playbook

Is Traffic Malicious?

Answer:Malicious

What Is The Attack Type?

https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20-
Requested URL Contains OR 1 = 1

Answer:SQL Injection

Check If It Is a Planned Test

テストを行うというようなメールは見つからなかった．
Answer:Not Planned

What Is the Direction of Traffic?

167.99.169.17(Internet)  ->  172.16.17.18(Company Network)

Answer:Internet -> Company Network

Was the Attack Successful?

• Log Management
  

Request URL: https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20-
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Request Method: GET
Device Action: Permitted
HTTP Response Size:: 948
HTTP Response Status: 500

Answer:No

Add Artifacts

*1 167.99.169.17

• https://www.virustotal.com/gui/url/3d4d8df22a4a3f78099fdcf3ab0cdc3359989c50928b3ab1f6718940bf54d56f/detection
• https://www.abuseipdb.com/check/167.99.169.17
• https://ip-sc.net/ja/r/167.99.169.17

Do You Need Tier 2 Escalation?

アクセスは成功していないと思われる．
Answer:No

End