Detectionmediumtest

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems), Thurein OoCreated Wed Nov 08b59c98c6-95e8-4d65-93ee-f594dfb96b17web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-method: 'POST'
        c-uri|endswith: '/mgmt/tm/util/bash'
    condition: selection

False Positives

Legitimate usage of the BIG IP REST API to execute command for administration purposes

References

MITRE ATT&CK

Tactics

Techniques

Related Rules

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

b59c98c6-95e8-4d65-93ee-f594dfb96b17

Status

test

Level

medium

Type

Detection

Created

Wed Nov 08

Author

Path

rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml

Raw Tags

attack.initial-accessattack.t1190