Command injection vulnerability triggered

Tactic:

TA0010-exfiltration

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect successful exploits of the command injection vulnerability.

Strategy

Run a heuristic in the library (rule rasp-932-100) to monitor shell command execution.
When the command executed appears to be controlled by the user (and that the control doesn’t appear legitimate), those specific commands are highlighted.
Since the exploit is proven and the attacker may be taking over the underlying infrastructure, the severity of the signal is set to CRITICAL.

Triage and response

  1. Consider blocking the attacking IPs temporarily to slow down the further exploitation of your infrastructure.
  2. Consider switching the WAF rule rasp-932-100 to blocking mode to prevent exploitation.
  3. Leverage traces to determine the vulnerable codepath, and fix the code.