SOC168 - Whoami Command Detected in Request Body

In this LetsDefend alert, I examined the risk of a "Whoami" command detected in an HTTP request body on our network. "Whoami" is a Unix-based terminal command that invokes the name of the current user. This can be especially dangerous when an attacker gains access to a privileged account on a device.

I began by investigating the source IP. It was not associated with any device on the company network, so I moved toward VirusTotal and AbuseIPDB to determine its origin. I found that the IP was both Chinese-controlled and malicious, with numerous reports suggesting it had been associated with failed attempts at brute force SSH attempts. Not good.

The attacker's target was a company machine, WebServer1004, which completes the picture that traffic had come from the internet and to the company network. I analyzed the web traffic logs, which showed how the attacker was clearly trying a number of different command injections ("ls," "whoami," "uname," "cat /etc/passwd," "cat /etc/shadow") to enumerate their newfound access and exfiltrate as much information as possible. All injections received a response code of 200 and all response sizes were unique. It appeared that the attack was successful.

To confirm that this attack was not planned, I investigated email logs. There were no email communications regarding a planned attack or test. Examining the target machine's command and process history revealed a sequence of events that paralleled the timestamps associated with the attacker's command injections.

Realizing the reality of the threat and the alert being a true positive, I quarantined the device from the network. I closed out the case by reporting on the maliciousness and direction of the traffic, the type and success of the attack, as well as evidence that it was not planned by the company. Tier 2 escalation was therefore necessary to conduct further analysis.