SOC168 – Command Injection Leading to Remote Code Execution
by
🧠 Summary
This investigation began with a SOC168 – Whoami Command Detected in Request Body alert.
Initial review showed that an external IP address submitted a POST request containing the whoami command.
Further log analysis revealed that multiple system-level commands were successfully executed via the web application.
This was confirmed as a Command Injection vulnerability leading to Remote Code Execution (RCE) and full system compromise.
🚨 Alert Overview
- Event ID: 118
- Rule: SOC168 – Whoami Command Detected in Request Body
- Hostname: WebServer1004
- Destination IP: 172.16.17.16
- Source IP: 61.177.172.87
- Country: China (Jiangsu)
- ASN: 4134 (Chinanet)
- HTTP Method: POST
- Device Action: Permitted
- HTTP Status: 200 OK
🔎 Initial Finding
POST Parameters: ?c=whoami
The parameter c appears to be passed directly into a system execution function.
The HTTP response returned status 200 OK, indicating successful processing.
🔬 Deep Log Investigation
Further log review revealed multiple command executions from the same source IP within minutes:
?c=ls
?c=whoami
?c=uname
?c=cat /etc/passwd
?c=cat /etc/shadow
All requests returned:
- HTTP 200
- Increasing response size
- Device Action: Permitted
📊 Response Size Analysis
| Command | HTTP Response Size |
|---|---|
| whoami | 912 bytes |
| ls | 1021 bytes |
| uname | 910 bytes |
| cat /etc/passwd | 1321 bytes |
| cat /etc/shadow | 1501 bytes |
The increasing response size strongly indicates that file contents were returned in the HTTP response.
This confirms successful execution of system commands.
💀 Evidence of Compromise
The attacker performed structured enumeration:
ls→ Directory listingwhoami→ Confirmed execution contextuname→ Identified operating systemcat /etc/passwd→ Enumerated system userscat /etc/shadow→ Attempted credential dump
Access to /etc/shadow strongly suggests:
- Elevated privileges
- Misconfigured file permissions
- Web application running with excessive privileges
This is a critical security failure.
🌍 Threat Intelligence
Source IP: 61.177.172.87
- Country: China
- ASN: Chinanet (AS4134)
- VirusTotal: 4/93 vendors flagged as malicious
Although detection rate was moderate, combined with confirmed exploitation behavior, the activity is malicious.
🎯 Root Cause
The vulnerable web application likely contains unsafe command execution logic such as:
system($_POST['c']); OR os.system(request.POST['c'])
🧠 Vulnerability Overview
This vulnerability allows unsanitized user input to be executed directly within the operating system shell.
Because user-controlled input is passed into system-level commands without proper validation or sanitization, an attacker can execute arbitrary commands on the host.
This vulnerability type is classified as:
OS Command Injection
🔐 MITRE ATT&CK Mapping
| Technique ID | Technique Name |
|---|---|
| T1190 | Exploit Public-Facing Application |
| T1059 | Command and Scripting Interpreter |
| T1082 | System Information Discovery |
| T1087 | Account Discovery |
| T1003 | OS Credential Dumping |
🛑 Incident Response Actions Taken
- Server was immediately contained / isolated
- Malicious source IP address identified
- Full exploitation chain confirmed
- Relevant logs preserved for forensic investigation
📌 Final Verdict
| Category | Result |
|---|---|
| Command Injection | Confirmed |
| Remote Code Execution | Confirmed |
| Credential Dump Attempt | Confirmed |
| Host Compromise | Confirmed |
| Alert Classification | True Positive |
🏁 Conclusion
This alert represents a successful OS Command Injection attack that resulted in Remote Code Execution (RCE).
The attacker was able to:
- Execute arbitrary system commands
- Enumerate system users
- Access sensitive files including
/etc/shadow
This incident is classified as a:
🚨 Critical Severity Security Incident
Immediate containment and remediation actions were required to prevent further damage and lateral movement.
tags: