F5 BIG-IP iControl Rest API Command Execution - Proxy

calendar Oct 1, 2024 · attack.initial-access attack.t1190  ·
Share on: linkedin copy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Sigma rule (View on GitHub)

 1title: F5 BIG-IP iControl Rest API Command Execution - Proxy
 2id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
 3related:
 4    - id: 85254a62-22be-4239-b79c-2ec17e566c37
 5      type: similar
 6status: test
 7description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
 8references:
 9    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
10    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
11    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
12author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
13date: 2023-11-08
14tags:
15    - attack.initial-access
16    - attack.t1190
17logsource:
18    category: proxy
19detection:
20    selection:
21        cs-method: 'POST'
22        c-uri|endswith: '/mgmt/tm/util/bash'
23    condition: selection
24falsepositives:
25    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
26level: medium

References

Related rules

to-top