Detectionmediumtest

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems), Thurein OoCreated Wed Nov 0885254a62-22be-4239-b79c-2ec17e566c37web

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|endswith: '/mgmt/tm/util/bash'
    condition: selection

False Positives

Legitimate usage of the BIG IP REST API to execute command for administration purposes

References

MITRE ATT&CK

Tactics

Techniques

Related Rules

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

85254a62-22be-4239-b79c-2ec17e566c37

Status

test

Level

medium

Type

Detection

Created

Wed Nov 08

Author

Path

rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml

Raw Tags

attack.executionattack.t1190attack.initial-access