Investigation - Web Attack

In this LetsDefend challenge, we received a notification that web attacks were detected on our network and required a deeper investigation. We were provided with the log file to identify the tactics, techniques and procedures (TTPs) utilized by the threat actor.

Provided mainly through information displayed about the attacker's user-agent, it was evident within the first 30 lines that the attacker was using Nikto for web reconnaissance. Luckily I was already familiar with the tool to recognize it within the log. For those who may not have heard of it, Nikto is a vulnerability scanner that can be leveraged from the command line to quickly fingerprint and identify vulnerabilities within a web server. In this case, the entirety of the attack took less than 20 minutes. The attacker was using the tool to scan every domain, directory and favicon.io file to gather as much intelligence as possible and identify a potential vector for infiltration.

Following the initial phase of the scan, the attacker made attempts to discover the server's directory listings via directory brute forcing. Nikto was accomplishing this manually by inserting a variety of different domain names to see if the server would respond affirmatively to any of them.

The third phase of the attack was indicated by the change in the user-agent. In other words, the information in the log told me when the automated tool had completed its scan and control was back in the hands of the attacker. At this point, the attacker had begun brute forcing different hidden files and directories to see what the server would respond with. Eventually, as indicated by the response codes and sizes, he succeeded and had found a sector of the server that was readily accessible. At this point, there still hadn't been any attempts to inject code, establish persistence or alter the contents of the server. The attacker was still doing reconnaissance.

Eventually there was a flood of POST requests on the login.php page of the server. All responses were 200 code but provided the same response size of 4086, which tells me the attacker likely didn't gather any valuable information from what I assumed to be SQL injection attempts.

The fourth phase of the attack was command injection, in which the attacker injected command such as "whoami" into the HTTP request. The attack was successful, and was followed up by the attacker establishing persistence on the server through the addition of a new user "hacker."