COMMAND INJECTIONS

DETECTING SUSPICIOUS WEB CMDS

Search for HTTP requests that might show malicious activity; searches the web access logs for any HTTP requests that include signs of command execution attempts, such as cmd.exe, PowerShell, or Invoke-Expression

SPLUNK> Search
 QUERY: index=windows_apache_access (cmd.exe OR powershell OR "powershell.exe" OR "Invoke-Expression") | table _time host clientip uri_path uri_query status
 DTG: All time

 _time	              host	        clientip	  uri_path	          uri_query                                                                                         status
 2025-10-27 04:37:36	WebAppServer	10.9.0.217	/cgi-bin/hello.bat	cmd=powershell.exe+-enc+VABoAGkAcwAgAGkAcwAgAG4AbwB3ACAATQBpAG4AZQAhACAATQBVAEEASABBAEEASABBAEEA	200
 2025-10-26 21:47:59	WebAppServer	10.9.0.217	/cgi-bin/hello.bat	cmd=cmd.exe	                                                                                      200
 2025-10-26 21:48:33	WebAppServer	10.9.0.217	/cgi-bin/hello.bat	cmd=powershell.exe+-enc+VABoAGkAcwAgAGkAcwAgAG4AbwB3ACAATQBpAG4AZQAhACAATQBVAEEASABBAEEASABBAEEA	200
 2025-10-27 04:39:10	WebAppServer	10.9.0.217	/cgi-bin/hello.bat	cmd=powershell.exe+-enc+VABoAGkAcwAgAGkAcwAgAG4AbwB3ACAATQBpAG4AZQAhACAATQBVAEEASABBAEEASABBAEEA	200

* This query helps identify possible Command Injection attacks, where the evil attacker tries to execute system commands through a vulnerable CGI script (hello.bat)
    - does this query identify obfuscated cmds like base64 or just plain as is characters
                - cmd or powershell will be captured unencoded

MALICIOUS ENCODED STRINGS

This will identify any or all potentially malicious encoded strings

SPLUNK> Query Results...
Output:
_time                                                                   host                                      clientip               uri_path                                             uri_query
2025-10-26 21:48:33    WebAppServer          10.9.0.217  /cgi-bin/hello.bat  cmd=powershell.exe+-enc+...
2025-10-26 21:47:59 WebAppServer              10.9.0.217      /cgi-bin/hello.bat         cmd=cmd.exe

* At this step, we are primarily interested in base64-encoded strings, which may reveal various types of activities.

DECODING ENCODED STRINGS

root@thm:~$ BROWSER > https://www.base64decode.org/


#Looking for Server-Side Errors or Command Execution in Apache Error Logs

SPLUNK> Search
QUERY: index=windows_apache_error ("cmd.exe" OR "powershell" OR "Internal Server Error")
DTG: All time
Events:
  View: Raw
  
  ...

* If a request like /cgi-bin/hello.bat?cmd=powershell triggers a 500 “Internal Server 
  Error,” it often means the attacker’s input was processed by the server but failed 
  during execution, a key sign of exploitation attempts.
    - Checking these results helps confirm whether the attack reached the backend or 
      remained blocked at the web layer.

* inspecting web server error logs, would help in uncovering malicious activity
    - This query inspects the Apache error logs for signs of execution attempts or 
      internal failures caused by malicious requests; we are searching for error 
      messages with particular terms such as cmd.exe and powershell

This traces suspicious process creation (HOST) from Apache. Explore Sysmon for other malicious executable files that the web server might have spawned

SPLUNK> Search
QUERY: index=windows_sysmon ParentImage="*httpd.exe"
DTG: All time
Events:
  View: Table
  
  ...

* This query focuses on process relationships from Sysmon logs, specifically when the 
  parent process is Apache (httpd.exe).
   - Typically, Apache should only spawn worker threads, not system processes like 
     cmd.exe or powershell.exe.
      - if results show child processes such as below; It indicates a 
        successful command injection where Apache executed a system command
         - ParentImage = C:\Apache24\bin\httpd.exe
         - Image = C:\Windows\System32\cmd.exe
                                  
      - this is  is one of the strongest indicators that the web attack penetrated 
        the operating system

IDENTIFYING ENUMERATION ACTIVITY

This is how to confirm attacker enumeration activity (post-exploitation reconnaissance) - powershell specific. The aim is to discover specific programs found from previous queries "tracing suspicious process creation (host) from apache

SPLUNK> Search
QUERY: index=windows_sysmon *cmd.exe* *whoami*
DTG: All time
Events: 

* This query looks for command execution logs where cmd.exe ran the command "whoami"
    - Attackers often use the whoami command immediately after gaining code execution 
      to determine which user account their malicious process is running as.
      - if the defender knows basic understanding of oco, they'll be able to identify 
        other cmds that operators typically use

IDENTIFYING BASE64 ENCODED PAYLOADS (POWERSHELL)

SPLUNK> Search
QUERY: index=windows_sysmon Image="*powershell.exe" (CommandLine="*enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*Base64*")
DTG: All time
Events

* This query detects PowerShell commands containing -EncodedCommand or Base64 text, a 
  common technique attackers use to hide their real commands
    - If the organization's defenses are correctly configured, this query should 
      return no results, meaning the encoded payloads never ran
       - If results appear, decode the Base64 command to inspect the 
         attacker’s true intent.

PreviousOUTBOUND C2 COMMS CORRELATION NextELK

Last updated 2 days ago