SOC167 – LS Command Detected in Requested URL (False Positive)
by
🧠 Summary
This investigation was triggered by a SOC167 – LS Command Detected in Requested URL alert.
The detection rule identified the string “ls” within a requested URL and flagged it as a potential command injection attempt.
After thorough log analysis, destination IP investigation, and VirusTotal validation, it was determined that the alert was triggered due to the substring “ls” appearing inside the word “skills” within a legitimate blog search query.
No malicious behavior or exploitation attempt was observed.
The alert was classified as a False Positive.
🚨 Alert Overview
- Event ID: 117
- Rule: SOC167 – LS Command Detected in Requested URL
- Severity Level: Security Analyst
- Hostname: EliotPRD
- Source IP: 172.16.17.46
- Destination IP: 188.114.96.15
- HTTP Method: GET
- Requested URL:
https://letsdefend.io/blog/?s=skills - User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
- Device Action: Permitted
- HTTP Status Code: 200
- HTTP Response Size: 2577
🔎 Investigation Steps
1️⃣ URL Analysis
The requested URL:
https://letsdefend.io/blog/?s=skills
The rule triggered because the word “skills” contains the substring:
ls
However:
- No command separators (
;,&&,|,$()) - No URL encoding (
%3B,%26%26, etc.) - No suspicious file paths (
/etc/passwd) - No shell execution patterns
The parameter ?s=skills is a standard blog search query.
Conclusion: Legitimate user search activity.
2️⃣ User Activity Timeline Review
Log review showed sequential browsing behavior:
/blog//blog/how-to-become-a-soc-analyst//blog/how-to-analyze-rtf-template-injection-attacks//blog/red-team-vs-blue-team-learn-the-difference//blog/how-to-prepare-soc-analyst-resume//blog/?s=skills/blog/soc-analyst-career-without-a-degree/
This pattern indicates normal reading and navigation behavior.
No repetitive probing.
No abnormal request frequency.
No injection attempts.
3️⃣ HTTP Response Analysis
- Status Code: 200 OK
- Device Action: Permitted
- Normal response size observed
No 500 errors, no access denials, and no server-side errors that would suggest exploitation attempts.
4️⃣ Destination IP Investigation
Destination IP: 188.114.96.15
IP Intelligence Results:
- ASN: 13335
- ISP: Cloudflare Inc.
- Service Type: Data Center / Transit
- Registry: RIPE NCC
- Country: United States
The IP belongs to Cloudflare CDN infrastructure, which is commonly used by legitimate websites for content delivery and DDoS protection.
Traffic flow:
User → Cloudflare Edge → LetsDefend Origin Server
No suspicious hosting provider identified.
5️⃣ VirusTotal Check
- IP lookup: Clean
- No malicious detections
- No blacklist flags
No threat intelligence indicators associated with the destination IP.
🧪 What Would Indicate a Real Command Injection?
If this were a legitimate command injection attempt, we would expect patterns such as:
; ls&& ls| ls$(ls)- Encoded payloads
- Directory traversal attempts
- Suspicious response codes
- Repeated exploitation attempts
None of these were observed.
📌 Final Verdict
| Category | Result |
|---|---|
| Command Injection Attempt | Not Observed |
| Malicious Payload | None |
| Suspicious Characters | None |
| Host Compromise | No Evidence |
| Destination Reputation | Clean (Cloudflare) |
| Alert Classification | False Positive |
🏁 Conclusion
The alert was triggered due to simple substring-based detection logic identifying the letters “ls” within the word “skills.”
Comprehensive log review, infrastructure validation, and threat intelligence checks confirm that:
- The activity was legitimate browsing behavior.
- No command injection was attempted.
- No malicious indicators were identified.
- No compromise occurred.
This case demonstrates how context-based analysis is critical when investigating signature-based alerts.
Alert closed as: False Positive
tags: