Skip to content
Threat Feed
low advisory

Web Server Potential Command Injection Request

The rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads.

This rule aims to detect potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns associated with command execution payloads. Attackers exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. The rule focuses on low-volume requests with HTTP 200 status codes. This activity matters because attackers use successful requests to trigger server-side command injection and gain persistence or control without obvious errors. It covers a wide range of web servers, including Nginx, Apache, Apache Tomcat, IIS, and Traefik.

Attack Chain

  1. An attacker identifies a vulnerable web application endpoint.
  2. The attacker crafts a malicious HTTP request containing a command injection payload within the URL parameters, targeting known vulnerabilities.
  3. The vulnerable web server processes the request, passing the malicious payload to the underlying system.
  4. The payload includes interpreter flags (e.g., python -c, bash -c), shell invocations, or netcat commands designed for reverse shell creation.
  5. The injected command executes on the server, potentially downloading a malicious script or establishing a reverse shell connection.
  6. The attacker leverages the reverse shell for further reconnaissance, lateral movement, or privilege escalation within the compromised environment.
  7. The attacker modifies system configurations, such as cron jobs or SSH keys, to establish persistence.
  8. The attacker gains control of the server, allowing them to exfiltrate sensitive data or deploy further malicious payloads.

Impact

Successful command injection can lead to complete compromise of the web server and potentially the entire network. While this detection focuses on low-volume 200 status code responses, a successful attack can allow the attacker to gain a persistent foothold, steal sensitive data, or use the compromised server as a launchpad for further attacks. The severity of the impact depends on the privileges of the web server process and the sensitivity of the data stored on the server or accessible from it.

Recommendation

  • Deploy the Sigma rule Web Server Potential Command Injection - Process to your SIEM and tune for your environment.
  • Deploy the Sigma rule Web Server Potential Command Injection - Network to your SIEM and tune for your environment.
  • Block the offending source IPs and User-Agents at the WAF/reverse proxy if identified.

Detection coverage 2

Web Server Potential Command Injection - Process

medium

Detects suspicious process creation related to web server command injection attempts.

sigma tactics: execution techniques: T1505.003 sources: process_creation, linux

Web Server Potential Command Injection - Network

medium

Detects suspicious network connections originating from web server processes indicative of reverse shells or command execution.

sigma tactics: command_and_control techniques: T1505.003 sources: network_connection, linux

Detection queries are available on the platform. Get full rules →