LetsDefend level 1 alert SOC165 - Possible SQL Injection Payload Detected event-id 115
Details
EventID : 115
Event Time : Feb, 25, 2022, 11:34 AM
Rule : SOC165 - Possible SQL Injection Payload Detected
Level : Security Analyst
Hostname : WebServer1001
Destination IP Address : 172.16.17.18
Source IP Address : 167.99.169.17
HTTP Request Method : GET
Requested URL : https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20-
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Alert Trigger Reason : Requested URL Contains OR 1 = 1
Device Action : Allowed
playbook
Is Traffic Malicious?
Answer:Malicious
What Is The Attack Type?
https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20- Requested URL Contains OR 1 = 1
Answer:SQL Injection
Check If It Is a Planned Test
テストを行うというようなメールは見つからなかった.
Answer:Not Planned
What Is the Direction of Traffic?
167.99.169.17(Internet) -> 172.16.17.18(Company Network)
Answer:Internet -> Company Network
Was the Attack Successful?
- Log Management
Request URL: https[:]//172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 Request Method: GET Device Action: Permitted HTTP Response Size:: 948 HTTP Response Status: 500
Answer:No
Add Artifacts
Value | Type | Comment |
---|---|---|
167.99.169.17 | source ip - known as a malicious IP *1 | IP Address |
172.16.17.18 | dest ip | IP Address |
*1 167.99.169.17
- https://www.virustotal.com/gui/url/3d4d8df22a4a3f78099fdcf3ab0cdc3359989c50928b3ab1f6718940bf54d56f/detection
- https://www.abuseipdb.com/check/167.99.169.17
- https://ip-sc.net/ja/r/167.99.169.17
Do You Need Tier 2 Escalation?
アクセスは成功していないと思われる.
Answer:No