Web Server Request Command Injection Attempt
Detection of potential command injection attempts via web server requests by identifying URLs containing suspicious patterns associated with command execution payloads, which attackers exploit to execute arbitrary commands on the server.
This detection identifies potential command injection attempts targeting web servers. Attackers exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server. This is achieved by crafting malicious URLs that include suspicious patterns commonly associated with command execution, such as interpreter invocations (Python, Perl, Ruby, PHP), shell commands, and other techniques to gain unauthorized access and control. The detection logic focuses on identifying HTTP requests with a status code of 200 (OK) to filter out noisy logs that may not represent successful command execution attempts. This proactive monitoring helps security teams to promptly identify and respond to potential threats before significant damage can occur. The rule logic covers Nginx, Apache, Apache Tomcat, IIS, and Traefik access logs.
Attack Chain
- The attacker identifies a vulnerable web application endpoint that is susceptible to command injection.
- The attacker crafts a malicious HTTP GET or POST request containing a command injection payload within the URL or request parameters. This payload might include shell metacharacters, encoded commands, or references to interpreters like Python, Perl, or Bash.
- The web server receives the malicious request and processes it. Due to the vulnerability, the injected command is executed by the server's operating system.
- The attacker leverages the command execution to perform reconnaissance, such as listing directories, reading files, or identifying system information using commands like
ls,cat /etc/passwd, oruname -a. - The attacker attempts to establish persistence by creating a web shell or modifying system files, such as cron jobs. This allows them to maintain access to the compromised system even after the initial vulnerability is patched.
- The attacker downloads additional tools or payloads onto the compromised server using utilities like
curlorwget, often from a remote attacker-controlled server. - The attacker uses the compromised server to pivot to other systems within the network, leveraging gained access to internal resources and sensitive data.
- The attacker exfiltrates sensitive data or deploys malware, potentially leading to data breaches, financial loss, or disruption of services.
Impact
Successful command injection can lead to complete compromise of the web server and potentially the entire network. Attackers can steal sensitive data, modify files, install malware, or use the compromised server as a launchpad for further attacks. The low severity assigned to the original rule may underestimate the true risk if successful exploitation occurs. Depending on the privileges of the web server process, the attacker could gain root access. The number of victims and sectors targeted depends on the specific vulnerability and the attacker's objectives.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune it to your environment, focusing on reducing false positives by excluding known legitimate uses of command-like strings (e.g., documentation or code rendering) in web requests.
- Investigate any alerts generated by the Sigma rule by examining the raw HTTP request or PCAP, decoding URL and base64-encoded parameters, and identifying shell metacharacters, commands, IP:port pairs, file paths, and download URLs.
- Implement input validation and sanitization on all web application endpoints to prevent command injection vulnerabilities (reference: this brief's overview).
- Apply virtual patches or WAF rules to block URLs containing suspicious patterns such as
bash -c,/dev/tcp,base64 -d,curl, ornc(reference: overview). - Harden web servers by running them under least privilege, restricting egress traffic, and deploying host sensors to detect suspicious activity like webshell creation (reference: overview).
Detection coverage 2
Detect Web Server Request Containing Command Injection Keywords
mediumDetects web server requests that contain keywords commonly associated with command injection attempts, such as shell interpreters, netcat, or file read attempts.
Detect Web Server Request with Base64 Encoded Command
highDetects web server requests that contain base64 encoded commands, often used to obfuscate malicious payloads.
Detection queries are available on the platform. Get full rules →