
Summary
This detection rule is designed to identify potentially malicious POST requests targeting the F5 BIG-IP iControl Rest API, specifically aimed at the "bash" endpoint. The rule works by analyzing incoming web server logs for requests that match certain criteria. When a POST request is detected that ends with /mgmt/tm/util/bash, it flags that transaction for further review. The purpose of this API is typically to allow authenticated administrators to execute trusted shell commands on the BIG-IP system. However, unauthorized access to this endpoint can lead to command execution vulnerabilities, potentially allowing attackers to execute arbitrary commands on the server. It's important to note that while this rule seeks to mitigate risk, legitimate administrative uses of the API should not trigger alerts if properly logged and authenticated. Potential false positives could arise from legitimate administrative tasks being performed via the REST API.
Categories
- Web
- Application
Data Sources
- Web Credential
- Application Log
- Network Traffic
Created: 2023-11-08