DEV Community

a.infosecflavour
a.infosecflavour

Posted on

SOC167 - LS Command Detected in Requested URL | Letsdefend.io

#cybersecurity #writing

Hi everyone! Are you up for an easy blue team challenge? 🔷🔹🔷

Detection

While browsing through my daily alarms, I found this high- severity alert SOC167 - LS Command Detected in Requested URL. So I decided to take ownership on it.

Event ID: 117
Event Time: Feb, 27, 2022, 12:36 AM
Rule: SOC167 - LS Command Detected in Requested URL
Level: Security Analyst
Hostname: EliotPRD
Destination IP Address: 188.114.96.15
Source IP Address: 172.16.17.46
HTTP Request Method: GET
Requested URL :
hxxps[://]letsdefend[.]io/blog/?s=skills
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Alert Trigger Reason: URL Contains LS
Device Action: Allowed

alarm-details

My first guess is that the alert triggered because of the word "skills", which contains "ls" (the reason the alert triggered for). But what's special at "ls"?

The ls command is used to list files or directories in Linux and other Unix-based operating systems (source). If you want to find out more how malicious actors leverage the Linux commands to conduct attacks, then it's worth reading this article.

As I deep into analysis stage, first and foremost I start the playbook.

playbook

understand.

pb

Even if listed earlier these artifacts, I want to do so again in order to translate the information into something friendlier.

Event Time: Feb, 27, 2022, 12:36 AM

Hostname: EliotPRD

Destination IP Address: 188.114.96.15

Source IP Address: 172.16.17.46

HTTP Request Method: GET

Requested URL: hxxps[://]letsdefend[.]io/blog/?s=skills

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

Device Action: Allowed

It was observed on 27th of February 12:36 that host EliotPRD, which is belongs to IP 172.16.17.46, sent a GET request to the web-browser Mozilla Firefox version 24.0 for Ubuntu hxxps[://]letsdefend[.]io/blog/?s=skills which is belongs to IP 188.114.96.15.

You can find out more about the User-Agent if you leverage the search capabilities of the Internet. In this situation, the User-Agent is not suspect, but in others, using an old version of User-Agent could be correlated to a malicious activity.

In simpler words, the
Source (EliotPRD) asked the browser (Mozilla Firefox)

to go to the Destination (hxxps[://]letsdefend[.]io/blog/?s=skills) and fetch the "Skills" section.

Considering the hostname EliotPRD, this endpoint is a machine used in production environment. It is the live environment where the software is deployed for end-users.

Collecting data about the endpoint device implied in this event, we discover the following:

  • it's a client (not a server)
  • uses Ubuntu 16.04.4
  • it's on letsdefend.local domain
  • primary user: eliot
  • last login: Feb, 27, 2022, 12:00 AM

endpoint

There is no process running.

process

The established connections are to a single IP address.

network

There was used a command date on 27th of February 01:11 AM. This command is used to display the system date and time.

And we discover the following URLs accessed:

URL.

We can correlate the URLs discovered in the Browser History with the IPs from Network Action.

Did you see that? At 27.02.2022 00:36,
hxxps[://]letsdefend[.]io/blog/?s=skills (IP: 188.114.96.15) was accessed!

So now that we gathered the evidence we can surely confirm it is an outbound connection (internal to external).

Now, let's gather data about 188.114.96.15.

As VirusTotal reveals, no AV vendor detected it as malicious.

VT

But it there are 9 detected files communicating with the IP address, and there is a comprehensive list of graph containing. I will list here only those associated prior to the event:
graph

We also check AbuseipDB and find the following (please note that the searches are done at the moment of writing this article, which is ~3 years after the event 😉).

abuseip

The IP is static, owned by Cloudflare, which is not primarily a web hosting provider.
The IP reputation is neutral.

http

Further into our analysis, let's examine the HTTP traffic by checking the logs in Log Management section.

It can be observed the date, the type of log (proxy), the source address (172.16.17.46), the source port (46843), the destination address (188.114.96.15) and the destination port (443).

differentrequests

It can be also noticed that there is a total of 7 HTTP requests.

We can take each log and analyze the connections (example in the screenshot below):

am

It can be safely confirmed there is no malicious traffic between the source and the destination.

nonmalicious2

Therefore, the alarm is False Positive. It was triggered by the presence of "ls" in the word "skills".

What are your thoughts? 😉

Top comments (0)