June 13, 2026
Threat Hunting with WAF - LetsDefend ๐ฅ
This write-up is based on a training scenario from LetsDefend and is shared for educational purposes only.
0verRida
2 min read
This write-up is based on a training scenario from LetsDefend and is shared for educational purposes only.
Hello everyone, I'm Fir (find me on LinkedIn). In this article, I'll share my threat hunting investigation based on a web application firewall (WAF) scenario from LetsDefend. In this lab, I analyzed WAF logs to identify web attacks, investigated misconfigurations where attacks were allowed, and correlated findings with threat intelligence. The goal was to understand how attackers exploit web vulnerabilities and how partial detection can still lead to risk.
๐ง Hypothesis
Attackers may exploit web application vulnerabilities such as directory traversal to access sensitive files and may combine multiple attack techniques to increase their chances of success.
Step 1 : Detecting Directory Traversal Attacks
I started by analyzing WAF logs to identify directory traversal activity. This indicates attempts to access sensitive system files on the server.
Most frequent attack URL: /page.php?file=../../../../etc/shadowMost frequent attack URL: /page.php?file=../../../../etc/shadow
Step 2 : Allowed Malicious Request
Next, I checked if any attack requests bypassed the WAF. This confirms that a sensitive file access attempt was successfully allowed by the WAF.
Allowed attack URL: /page.php?file=../../../../home/user/.ssh/id_rsa
HTTP status code: 200Allowed attack URL: /page.php?file=../../../../home/user/.ssh/id_rsa
HTTP status code: 200Step 3 : Correlating Additional Attack Activity
I then investigated the same attacker's behavior. This shows that while one attack succeeded, another was detected and blocked.
Additional attack type: OS Command Injection WAF action: block
Step 4 : Target System Identification
I identified the affected server. This system becomes critical for further investigation.
Target server IP: 10.10.10.88Target server IP: 10.10.10.88Step 5 : Threat Intelligence Correlation
Next, I correlated the attacker IP with threat intelligence. This indicates the activity is linked to a known threat group.
Associated APT group: APT-LL-23
Another related IP: 101.203.172.3Associated APT group: APT-LL-23
Another related IP: 101.203.172.3
Step 6 : Internal to External Communication Analysis
Finally, I investigated communication patterns. This suggests attempted outbound communication that was successfully prevented.
Source IP accessing external related IP: 10.10.10.88
Firewall action: blockSource IP accessing external related IP: 10.10.10.88
Firewall action: block
Conclusion
This investigation shows how a single WAF bypass can lead to serious risk. A successful directory traversal attack, combined with additional exploitation attempts, highlights attacker persistence. Correlation with threat intelligence and network activity links the behavior to a known APT group, emphasizing the need for continuous WAF validation and multi-source monitoring.
Thanks for reading! If you're learning web attack detection or improving your WAF monitoring skills, feel free to share your thoughts ๐ What topic are you exploring next? ๐ฅ