SOC166 - Javascript Code Detected in Requested URL

SOC166 - Javascript Code Detected in Requested URL



In this LetsDefend alert, the rule name suggests that we may be dealing with a Cross-Site Scripting (XSS) attack due to the presence of javascript in a requested URL.

I gathered basic information such as source IP, destination IP, and noted the URL as well as the resulting HTTP status code. I did not find a device belonging to the source IP within endpoint management, indicating that the attack had originated externally. A VirusTotal scan showed that the IP was malicious, and the Whois lookup showed it belonging to a Chinese domain (chinaunicom[.]com), which is a legitimate Chinese telecommunications organization. I supplemented these results with AbuseIPDB, which exposed the IP as being associated with historical brute force SSH attacks. *eyes widen*

After confirming that the traffic was both external and malicious, I identified the destination IP (victim machine) belonging to our very own WebServer1002. Examination of the browser, command, network and process history did not show evidence of foul play. From here, I wanted to analyze the web traffic logs to figure out what happened.

The attacker attempted 5 sequential URL payloads, the last of which was the URL described in our triggered alert. These kinds of payloads are not hard to identify, including abnormal words such as "script" and "prompt" and "alert." Interestingly enough, each request produced an HTTP response size of 0 and status code 302, indicating that the response was blocked and nothing was returned to the attacker. *wipes sweat from forehead*

As part of the playbook, I confirmed that this attack was not a planned test by parsing through email logs. There was no email history notifying of a simulated attack.

I concluded the playbook by reporting my artifacts. When prompted, I decided against Tier 2 Escalation. Despite confirming that a malicious attack had taken place, it was nonetheless unsuccessful. Other than reporting the source IP (which should be added to our WAF or blacklist), no further action was required.