Incident Response Triaging
The Vulnerability Search excels at triaging potential incidents involving web applications, websites, or backend databases. Let’s say you receive an alert indicating one of your web applications is being banged on by some threat. The alert can be detected by anything; IDS, SIEM, or a server administrator. When this type of alert comes in one question that needs to be answered is: did the attack successfully compromise the server. If the server is compromised then the alert can be elevated into a security incident. However, if the ongoing attacks have no chance of compromising the server then there’s no need for elevation and the resources it requires. This is where the Vulnerability Search comes into play.
The web logs will contain the URLs being used in the attack. If these URLs are not completely obfuscated then they can be used to identify the vulnerability the threats are targeting. For example, let’s say the logs are showing the URL below multiple times in the timeframe of interest:
hxxp://journeyintoir.blogspot.com/index.php?option=com_bigfileuploader&act=uploading
It might not be obvious what the URL’s purpose is or what it’s trying to accomplish. A search using part of the URL can provide clarity about what is happening. Searching on the string “index.php?option=com_bigfileuploader” in the Vulnerability Search shows the vulnerability being targeted is the Joomla Component com_bigfileuploader Arbitary File Upload Vulnerability. Now if the website in question isn’t a Joomla server then the attack won’t be successfully and there is no need to elevate the alert.
Incident Response Log Analysis
The Vulnerability Search also excels at investigating incidents involving web applications, websites, or backend databases. Let’s say someone discovered a web server compromise since it was serving up malicious links. The post mortem analysis identified a few suspicious files on the server. The web activity in an access log around the time the files were created on the server showed the following:
"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%
6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%
6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%
2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%
74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%
70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%
2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
HTTP/1.1" 200 203 "-"
A search on the above string reveals it’s an exploit for the Plesk Apache Zeroday Remote Exploit. If the server in question is running Plesk then you might have just found the initial point of compromise.
Vulnerability Management or Penetration Testing
The Vulnerability Search is not only useful for DFIR type work but it’s also useful for vulnerability management and penetration testing type work. Let’s say you get a report from a vulnerability scanner and it has a critical vulnerability listed. You can use search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. All of this information can help determine the true criticality of the vulnerability and the timeframe for the vulnerability to be patched.
Now on the other hand let’s say you are doing a pen test and you identify a vulnerability with your tools. You can search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. This type of information can be helpful with exploiting the vulnerability in order to elevate your privileges or access sensitive data.
The purpose of this post was to illustrate what the Vulnerability Search is and how I use it. The examples I used might have been for demonstration purposes but they simulate scenarios I’ve encountered where the search came in handy.
0 comments:
Post a Comment