Date: 10/21/2024
Severity: Medium
Summary
Identifies POST requests to the F5 BIG-IP iControl REST API "bash" endpoint, enabling command execution on the BIG-IP.
Indicators of Compromise (IOC) List
cs-method | 'POST' |
c-uri | '/mgmt/tm/util/bash' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | resourcename = "Zscaler Proxy" AND reqmethod = "POST" AND url like "/mgmt/tm/util/bash" |
| Detection Query : | technologygroup = "EDR" AND reqmethod = "POST" AND url like "/mgmt/tm/util/bash" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml