Score
100%
Playbook Success Rate
83%
Investigation Time
SOC Alert Details
| SEVERITY | DATE | RULE NAME | EVENTID | TYPE | ||
|---|---|---|---|---|---|---|
| High | Mar, 01, 2022, 10:10 AM | SOC170 - Passwd Found in Requested URL - Possible LFI Attack | 120 | Web Attack | ||
EventID : 120 Event Time : Mar, 01, 2022, 10:10 AM Rule : SOC170 - Passwd Found in Requested URL - Possible LFI Attack Level : Security Analyst Hostname : WebServer1006 Destination IP Address : 172.16.17.13 Source IP Address : 106.55.45.162 HTTP Request Method : GET Requested URL : https://172.16.17.13/?file=../../../../etc/passwd User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Alert Trigger Reason : URL Contains passwd Device Action : Allowed Show Hint | ||||||
Playbook Answers
Question:Do You Need Tier 2 Escalation?
User answer:No
Question:Was the Attack Successful?
User answer:No
Question:What Is the Direction of Traffic?
User answer:Internet → Company Network
Question:Check If It Is a Planned Test
User answer:Not Planned
Question:What Is The Attack Type?
User answer:Other
Correct Answer:LFI & RFI
Question:Is Traffic Malicious?
User answer:Malicious
Playbook Note
On March 1, 2022, at 10:10 AM, our SIEM detected an attempted Local File Inclusion (LFI) attack (EventID: 120), triggered under rule SOC170. The request originated from IP 106[g]55.45.162, linked to Tencent Cloud in Guangzhou, China, targeting "WebServer1006" (172[g]16.17.13) via a GET request containing the suspicious payload ../../../../etc/passwd. The attempt resulted in an HTTP 500 error response and did not successfully access sensitive files. Given that the attack was unsuccessful, there's no immediate need for containment or escalation to Tier 2 SOC at this time. Continued monitoring is recommended.
Extracted Artifacts
| Value | Comment | Type |
|---|---|---|
| https://172[g]16.17.13/?file=../../../../etc/passwd | Requested URL | E-mail Domain |
| Guangdong, China | City, Country | E-mail Domain |
| 106[g]55.45.162 | Malicious IP | IP Address |
| 172[g]16.17.13 | Victim IP | IP Address |
Alert Answers
Question:Is this alert True Positive or False Positive?
User answer:
Alert Note
On March 1, 2022, at 10:10 AM, our SIEM detected an attempted Local File Inclusion (LFI) attack (EventID: 120), triggered under rule SOC170. The request originated from IP 106[g]55.45.162, linked to Tencent Cloud in Guangzhou, China, targeting "WebServer1006" (172[g]16.17.13) via a GET request containing the suspicious payload ../../../../etc/passwd. The attempt resulted in an HTTP 500 error response and did not successfully access sensitive files. Given that the attack was unsuccessful, there's no immediate need for containment or escalation to Tier 2 SOC at this time. Continued monitoring is recommended.