Web Server Potential Command Injection Request
The rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads.
This rule aims to detect potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns associated with command execution payloads. Attackers exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. The rule focuses on low-volume requests with HTTP 200 status codes. This activity matters because attackers use successful requests to trigger server-side command injection and gain persistence or control without obvious errors. It covers a wide range of web servers, including Nginx, Apache, Apache Tomcat, IIS, and Traefik.
Attack Chain
- An attacker identifies a vulnerable web application endpoint.
- The attacker crafts a malicious HTTP request containing a command injection payload within the URL parameters, targeting known vulnerabilities.
- The vulnerable web server processes the request, passing the malicious payload to the underlying system.
- The payload includes interpreter flags (e.g.,
python -c,bash -c), shell invocations, or netcat commands designed for reverse shell creation. - The injected command executes on the server, potentially downloading a malicious script or establishing a reverse shell connection.
- The attacker leverages the reverse shell for further reconnaissance, lateral movement, or privilege escalation within the compromised environment.
- The attacker modifies system configurations, such as cron jobs or SSH keys, to establish persistence.
- The attacker gains control of the server, allowing them to exfiltrate sensitive data or deploy further malicious payloads.
Impact
Successful command injection can lead to complete compromise of the web server and potentially the entire network. While this detection focuses on low-volume 200 status code responses, a successful attack can allow the attacker to gain a persistent foothold, steal sensitive data, or use the compromised server as a launchpad for further attacks. The severity of the impact depends on the privileges of the web server process and the sensitivity of the data stored on the server or accessible from it.
Recommendation
- Deploy the Sigma rule
Web Server Potential Command Injection - Processto your SIEM and tune for your environment. - Deploy the Sigma rule
Web Server Potential Command Injection - Networkto your SIEM and tune for your environment. - Block the offending source IPs and User-Agents at the WAF/reverse proxy if identified.
Detection coverage 2
Web Server Potential Command Injection - Process
mediumDetects suspicious process creation related to web server command injection attempts.
Web Server Potential Command Injection - Network
mediumDetects suspicious network connections originating from web server processes indicative of reverse shells or command execution.
Detection queries are available on the platform. Get full rules →