“ SOC170 — Passwd Found in Requested URL — Possible LFI Attack” investigation

Hello, today I will write about investigation of “SOC170 — Passwd Found in Requested URL — Possible LFI Attack” alarm from letdefend.io.

The alert is appears in our investigation channel. After that, we proceed to build the case.

Let’s start the playbook.

We may conclude from the specifics that the attacker is attempting to request the passwd file. The user’s UID and home directory are all contained in the passwd file, which can be helpful during reconnaissance.

The first thing I did is to check the logs from the Log Management. We can see below that there is indeed a web attack on WebServer1006 and we can also conclude that the attack failed as the server encountered a problem that prevented it from performing the request, as indicated by the HTTP 500 response code (Internal Server Error).

I then used the Endpoint Security tab to examine the server directly. I learned that Windows Server 2019 is being used by the server. The unavailability of the “passwd” file on the server may be the cause of the attack’s failure.

We now proceed to check the reputation of the source IP address:

We were able to confirm that this is a true positive alert and that the attack originates from an outside, malicious attacker who is attempting to obtain the passwd file, to sum up our investigation.

Summary: