Adversaries may exploit the F5 BIG-IP iControl REST API to execute arbitrary commands via proxy configurations, leveraging T1190 to gain unauthorized control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command execution attacks on F5 devices before they escalate to data exfiltration or system compromise.
Detection Rule
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
- id: 85254a62-22be-4239-b79c-2ec17e566c37
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-method: 'POST'
c-uri|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
imWebSession
| where HttpRequestMethod =~ "POST" and Url endswith "/mgmt/tm/util/bash"Scenario: Scheduled Job Configuration via iControl API
Description: An administrator uses the iControl REST API to configure a scheduled job (e.g., tmsh modify sys db sys.cpu.rate threshold 80) as part of routine maintenance.
Filter/Exclusion: Check for the presence of known administrative tasks in the request body, such as sys db, ltm virtual, or auth user, and exclude requests with action: modify and object: sys db or sys cpu.
Scenario: Automated Configuration Backup via Script
Description: A DevOps tool (e.g., Ansible, Terraform, or custom scripts) periodically backs up the BIG-IP configuration using the iControl REST API.
Filter/Exclusion: Filter out requests originating from known automation tools or IP addresses used by the DevOps team. Use a source IP or user-agent filter to exclude legitimate backup scripts.
Scenario: User Authentication and Session Management
Description: An admin logs in via the iControl REST API and performs session management tasks (e.g., auth user login, auth user logout).
Filter/Exclusion: Exclude requests that include auth in the request path or body, or filter by user-agent strings associated with legitimate admin tools like curl or Postman.
Scenario: Health Check or Monitoring Tool Integration
Description: A monitoring tool (e.g., Nagios, Zabbix, or Prometheus) sends periodic POST requests to the iControl API to check the status of virtual servers or pools.
Filter/Exclusion: Filter by request headers or body content that include known health check patterns (e.g., monitor, check, status). Use a specific X-Request-Id or User-Agent to identify legitimate monitoring traffic.
**Scenario: API Testing with Post