1. Incident Details Overview

• Incident Title: Possible SQL Injection Payload Detected
• Incident Event ID: 115
• Date/Time Detected: Feb 25, 2022, 11:34 AM
• Alert Type: Web Attack
• Severity: High
• MITRE Technique: T1190 - Initial Access - Exploit Public-Facing Application
• Rule Name: SOC165 - Possible SQL Injection Payload Detected

2. Incident Summary

• Description of the Incident: [Brief overview of what happened. Example: Detection of suspicious SQL injection payload targeting public-facing web application.]
• Key Affected Systems: [List of affected systems, websites, or services]
• Potential Impact: [What could be the result of a successful attack? E.g., data breach, unauthorized access, etc.]
• Stakeholders Involved: [Teams or departments impacted by this incident, e.g., Development, IT, Incident Response]

3. Detection & Analysis: Understand Why the Alert Was Triggered

In order to perform a better analysis and to determine whether the triggered alert is false positive, it is first necessary to understand why the rule was triggered. Instead of starting the analysis directly, first understand why this rule was triggered.

• Examine the rule name. Rule names are usually created specifically for the attack to be detected. By examining the rule name, you can understand which attack you are facing. - Detect between which two devices the traffic is occurring. It's a good starting point to understand the situation by learning about the direction of traffic, what protocol is used between devices, etc.

• Detection Method: Alert Trigger Reason : Requested URL Contains OR 1 = 1

• Initial Analysis:

  • Payload Type:
  • HTTP Request Method : GET
  • Requested URL : https://172.16.17.18/search/?q=" OR 1 %3D 1 -- -
  • Targeted Endpoint: 172.16.17.18
  • Source IP(s): 167.99.169.17
  • Suspected Attack Vector: Unsanitized q parameter on GET /search (query string) --- attacker injected a string-terminating quote then a boolean tautology (" OR 1=1 --) to alter the backend SQL query. This indicates a classic SQL injection attempt against a public-facing search endpoint that concatenates user input into SQL without proper parameterization

  ---