SOC165 EventID115 — Possible SQL Injection Payload Detected — letsdefend.io
This a walkthrough of “Possible SQL Injection Payload Detected” alert in letsdefend.io. You can see the provided report below.
EventID : 115
Event Time : Feb, 25, 2022, 11:34 AM
Rule : SOC165 - Possible SQL Injection Payload Detected
Level : Security Analyst
Hostname : WebServer1001
Destination IP Address : 172.16.17.18
Source IP Address : 167.99.169.17
HTTP Request Method : GET
Requested URL :https://172.16.17.18/search/?q=%22%20OR%201%20%3D%201%20--%20-
User-Agent :Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Alert Trigger Reason :Requested URL Contains OR 1 = 1
Device Action :AllowedBased on the information provided by the alert, it appears that there is a suspicious url detected on a system named WebServer1001 with an IP address of 172.16.17.18.
Check URL address
First of all, we can check the URL address at abuseipdb.com to see how many people have reported it and how likely it is to be malicious.
We see that the IP address is reported 15,153 times, attempting many malicious activities. Even before analyzing it, we can see that this URL does not have good intentions.
Decoding the url
Alert report suggests that the requested URL might be used in a possible SQL injection by using URL encoding.
URL encoding is the practice of translating unprintable characters or characters with special meaning within URLs to a representation that is unambiguous and universally accepted by web browsers and servers. -From tutorialspoint.com
Therefore, we should try URL Decoding to understand the Requested URL. You don’t have to do it yourself since there are many tools online for this purpose. I will go with https://meyerweb.com/eric/tools/dencoder/.
After decoding the suspicious URL using the tool, we learn that the decoded URL is “https://172.16.17.18/search/?q=" OR 1 = 1 — -”. This confirms alert’s reason as requested URL Contains OR 1 = 1.
Check Log Management
After that, we should go to Log Management and look for the source IP address.
As you can see, the IP address had five requests. If you click the Raw Log button, you will see that only one of them is responded by HTTP 200 success status response code. Others have responded by 500, which means server encountered an unexpected condition that prevented it from fulfilling the request.
So the only request we should care about is the successful one.
The request “https://172.16.17.18/” does not include any SQL injection attempts in the URL and response size is not bigger than expecte. However, we should go and check the Endpoint Security since the source IP is not safe.
Endpoint Security
In Endpoint Security, we should check terminal history to see if a harmful command is executed.
As you can see, the suspicious requests did not cause a malicious activity in terminal history. So we can say that this request did not harm the system and the attack was not successful.
Playbook Answers
Q: Is Traffic Malicious?
Yes, the SQL injection attempt is obvious and the source IP is not trusted.
Q: What Is The Attack Type?
The attack type is SQL Injection.
Q: Is it a Planned Test
When checking the source IP address at AbuseIPDB, we found no evidence that this could be a planned test. Also there isn’t any related email that warning the system admin.
Q: What Is the Direction of Traffic?
Internet -> Company Network
Q: Was the Attack Successful?
No, the attack was not successful.
Q:Do You Need Tier 2 Escalation?
No. Because attack wasn’t successfull.
