+1 (512) 588 6950

Command Detected in Request Body. SOC168 — Whoami Command Detected

Home/Command Detected in Request Bo...
Command Detected in Request Body. SOC168 — Whoami Command Detected

What is Command Injection?

Command Injection
  • Command injection is a type of vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.
  • This can occur when an application passes unsafe user supplied data (e.g. form input) to a system shell without proper validation or sanitization.
  • An attacker can use command injection to gain unauthorised access to sensitive data, execute malicious code or disrupt the intended functionality of the application.


ls command injection that lists directory contents of files and directories

ls command Injection attack

How to detect command injection ?

  • One way to detect command injection vulnerabilities in a web application is to search the source code for keywords that may indicate the use of system commands with unsanitized user input
  • Some keywords to look for include:
  • “Whois” , “dir”, “ls”, “cp”, “cat”, “type”
  • “System”, “etc”, “exec”, “shell_exec”
  • “Whoami”
Detect Command Injection by using snort

SOC168 — Whoami Command Detected in Request Body

Here is the generated alert,

Alert given by
  • Source IP address ( attempted “Whoami” command injection attack on Web server 1004 (
  • Request URL :

Let’s check about Source IP address:


This IP address was flagged as malicious. Also attackers make lots of attacks by using this IP address.


Lets, look into the Log Management

log management
  • There are several command injection ware made by this attacker(
  • All attempts are responded with 200 HTTP Status with different HTTP response sizes.
  • We are able to see that all the command injections made by the attacker were executed. By checking the command line History on web server 1004
command Line History on Webserver1004

Playbook Answers:

  • Yes, we need Tier 2 Escalation
  • The Attack was successful
  • The Direction of Traffic : Internet to company network
  • There is NO Mail about Attack , this is not a Planned Test
  • This is Command injection attack
  • It is a Malicious Traffic

Reference :

Leave a Reply