Command Injection via xp_cmdshell
The attacker calls xp_cmdshell('cat ../../../etc/passwd'), a SQL Server stored procedure that runs OS-level commands. This attempts to read the system's password file, indicating privilege escalation or host compromise. (I looked up the use of the command)
Evasion Techniques Observed
The payload uses --/**/ to break the comment without spaces (bypassing naive WAF rules) and a # at the end to terminate the query early. The 200 OK response suggests the server executed at least part of the request.
The HTTP GET request contains HTTP/1.1 200 865, here the number 200 means that the attack was successful.
httpattack
We can conclude that it is malicious
attackclass
We can answer this easily, it is the name of the alert: SQL Injection
planned
We go to the Email Security tab and check for the hostnames and IP addresses and check for any email that may be regarding a planned test, alas we find none.
Next we go to VirusTotal and check the reputation of the Source IP address:
reputation
9/94 vendors flag this IP as malicious, so we can say it is malicious, with low confidence.
It was NOT a planned test.
question
The destination IP is a part of the company network, and the source IP, as we know, is an external IP.
Internet -> Company Network
succesfuol
suceful
YES, the attack was successful since we can see the code 200 in the HTTP Request
containment
Now we move on to the containment phase.
contained
Artifacts added:
artifacts
Do we need Tier 2 escalation? Answer: Yes, since we know the attack was successful.
After adding Analyst's notes, we close the playbook:
closedplaybook
Now we close the alert:
Imption
True positive alert, malicious HTTP traffic detected and successful on our internal server. Escalation to Tier 2 needed for deeper investigation and forensics