Exam CS0-002 topic 1 question 143 discussion

I currently work in a SOC. Anytime we receive alerts/offenses that appears to be a potential scan (interna/external), we already verify with the app owner/client if this was expected activity. We never close a ticket without confirmation, even its from an approved source

skibby16 answer

The security analyst should review the known Apache vulnerabilities to determine if a compromise actually occurred. The SIEM alert indicates that an IDS signature detected an attempt to exploit a vulnerability in Apache Struts 2 (CVE-2017-5638), which allows remote code execution via a crafted Content-Type header4. The packet capture and TCP stream show that the attacker sent a malicious request with a Content-Type header containing an OGNL expression that executes the command “whoami” on the target server. However, this does not necessarily mean that the attack was successful, as it depends on whether the target server was running a vulnerable version of Apache Struts 2 or not. Therefore, the security analyst should review the known Apache vulnerabilities and compare them with the version of Apache Struts 2 running on the server to confirm if a compromise actually occurred or not.

Should be A. user agent can be manipulated easily

I agree with Ian pretty much word for word. It looks like this is coming from the SOC but it has still triggered the IDS and so it is worth confirming before either blocking or dismissing.

WHile it might *look* like this is coming from the SOC, you haven't done your due diligence until you've confirmed with the source that this is legit.

C. should be the unanimous answer. Read the TPC stream and you'll see that the SOC team is running an unauthenticated scan.

can someone please explain how they got the answer? I am going to be honest, I have no clue!

An authenticated scan reports weaknesses exposed to the authenticated users of the system, as all the hosted services can be accessed with a right set of credentials. An -unauthenticated scan reports weaknesses from a public viewpoint (this is what the system looks like to the unauthenticated users) of the system. So the scan may be valid but instead of concluding asking for additional information from the application owner doesn't hurt and confirms if this activity is done internally.

From the TCP stream, starting at the bottom, lines 4 and 5 give the answer. SOC team running an unauthenticated scan. Answer is C.

SOC team doing scan. MY ans. is C

Tricky questions, not sure either but knowing the one that investigating this is SOC from exampledotcom, looks like it wants us to pick C. later part of the suspicious code is related to Apache Strut vulnerability. but IV info in the TCP stream indicate that it is coming from example.local. There should be a choice to validate the activity if it is part of pentest or vulscan but regardless if it is unauthorized scanning I would go with D. it is close for me with C & D but would choose D for this scenario.

This appears to be an unauthenticated connection from SoC, the reverse proxy line shows the source as being from the same domain along with more containers showing SoC attributes. I'm calling this a false positive

D makes sense for me

This looks like and OGNL Injection attack to me. From what I've read seems like a WAF is best protection/mitigation for it so I'm going with D.

D seems the right answer here.

I think D is the answer, I tried to understand the TCP stream and found out that the user is not authenticated, and this user trying to do many things seems unusal. so we must block it on the firewall.