SOC170 - Passwd Found in Requested URL - Possible LFI Attack

For this alert, the rule name suggests that an attacker had leveraged a Local File Inclusion attack on a device within our network. The alert had detected an attempt to access the "/etc/passwd" file, which is a common target for attackers as it holds user credentials.

First, it was important to understand the direction of traffic and the devices/IPs involved. A quick search within the endpoint security module told me that the traffic had not originated from within the company network, so I turned to public tools for further investigation. VirusTotal and AbuseIPDB both identified the IP as malicious, belonging to the Chinese corporate giant Tencent and having historical associations with credential stealing SSH attacks. The destination IP belonged to the company's WebServer1006.

Looking at the web traffic logs, there was a single LFI attempt on the web server for the URL specified in our alert. The HTTP response size was 0, and the response code 500, providing me with evidence that the attack was unsuccessful. It also provided insight into the motive of the attack - the attacker clearly was interested only in the /etc/passwd file, and was not interested in trying to obtain any other information from the device or network. This appears to be consistent with previous reports on the IP.

To confirm the attack's failure, I investigated the target web server's command and process history. There was no evidence of intrusion or foul play. I also checked email logs to confirm that this was not a planned test.

I rounded out the playbook by reporting my artifacts and suggesting against the need for Tier 2 escalation. This was a true positive attack, but the attacker had not succeeded in extracting information from the server's /etc/passwd. I would suggest adding the attacker's IP to our blacklist to mitigate the possibility of future attacks from this threat actor.