Open in app

Sign in

Write

Sign in

SOC167 — LS Command Detected in Requested URL — Letsdefend.io

Domiziana Foti
3 min readOct 1, 2022

In this case we have a suspected web attack, the information available for our analysis is outlined below:

The first thing we notice is that the reason for triggering the alert depends on a URL contains “ls”.

Several tools and commands in Linux are set up by default. These commands and tools can be used by an adversary who has gained access to the system to swiftly launch malware with full access to the system. Additionally, since users frequently use these programs and utilities, it may be very challenging to identify any malicious activity.(To continue reading and learn more about this topic — Linux commands and utilities commonly used by attackers)

So now we start to analyze the logs and traffic.

To continue our analysis, let us look at the source and destination IPs. We can see that port 443 is used and the HTTP protocol which works as a request-response protocol between a client and server.

If we open a raw log we can see that the HTTP GET is used to request a resource from the server.

Network connections are all directed to the same IP.

In the CMD History of the hostname (EliotPRD) we also can see that there are none previously executed commands in that session on Command Prompt.

In the browser history we note that several searches were made on the same site in a short period of time but the URLs do not seem malicious.

To perform a further check, we can try to see if the destination IP is malicious by searching it on some websites.

As we can see both websites confirm that the IP is not malicious and it’s domain name it is cloudflare.com

After all our analysis we can definitely say that the traffic is not Malicious.

There are other different request made from the device to the destination IP, but these request are not dangerous. In fact what have triggered the alert is the URL:

https://letsdefend.io/blog/?s=skills (ls cointained in skills)

So we can confirm this is a false positive and be aware that the SIEM is not perfect, we always have to check and verify the causes of the trigger.

Security
Siem

--

--

Domiziana Foti

Written by Domiziana Foti

70 Followers

Infosec ✨

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams