Home/CVE-2014-9342/Sigma rules
Sigma

Sigma rules for CVE-2014-9342

2 rules · scoped to cve · back to CVE-2014-9342
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct medium
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
status test author Nasreddine Bencherchali (Nextron Systems), Thurein Oo id b59c98c6-95e8-4d65-93ee-f594dfb96b17 license Sigma · DRL-1.1
view Sigma YAML 
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
    - id: 85254a62-22be-4239-b79c-2ec17e566c37
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'POST'
        c-uri|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
direct medium
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
status test author Nasreddine Bencherchali (Nextron Systems), Thurein Oo id 85254a62-22be-4239-b79c-2ec17e566c37 license Sigma · DRL-1.1
view Sigma YAML 
title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
    - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.execution
    - attack.t1190
    - attack.initial-access
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin