Info
ID: AT-PE001.001
Technique: Injection Exploitations
Tactic: Payload Execution
Platforms: Linux, macOS, Windows
Supports Remote: Yes
Version: 1.0
OS Command Injection
OS Command Injection is a critical injection vulnerability that occurs when an application passes unsafe user-supplied data to a system shell. Within the Payload Execution phase, this sub-technique enables attackers to execute arbitrary operating system commands on the host system with the same privileges as the vulnerable application. Unlike other injection types that manipulate application data flow, command injection allows direct interaction with the underlying operating system, providing attackers with a powerful vector to establish persistence, elevate privileges, access sensitive information, or pivot to other systems within the network. Attackers typically exploit this vulnerability by injecting shell metacharacters (such as semicolons, pipes, ampersands) or command terminators into input fields, URL parameters, HTTP headers, or file uploads that are subsequently processed by server-side functions like system(), exec(), popen(), or their language-specific equivalents. The impact of successful command injection is severe, as it bypasses application-level controls and directly compromises the operating system security boundary.
Data Sources
- Application Logs: Command execution logs and injection attempt traces
- Process Monitoring: Process creation and execution resulting from injected commands
- Command History: System command history and shell activity logs
- System Call Monitoring: System calls related to command execution and shell spawning
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: OS API Execution | Flag child processes spawned by web/app servers whose command lines include shell metacharacters (;, &&, ``,|`) or concatenated user-supplied parameters — strong evidence of command‐injection exploitation. |
| DS0015 | Application Log | Parse framework logs for runtime exceptions like sh: 1: or command not found tied to external input; cluster repeated errors from single IPs to detect injection probing. |
| DS0029 | Network Traffic Content | Detect HTTP requests containing suspicious payloads (e.g., %3Bcat+/etc/passwd) destined for endpoints that normally don’t consume such parameters. |
| DS0022 | File: File Creation | Alert when unexpected executable or script files are dropped within web-writable directories shortly after suspicious command execution. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Input Validation | Enforce allow-lists for command arguments and reject requests containing shell metacharacters or unexpected whitespace patterns. |
| M1038 | Execution Prevention | Refactor to use language-native APIs (e.g., spawn, execFile) that pass parameters without invoking the shell; block use of system()-style calls in code reviews/CICD gates. |
| M1048 | Application Isolation and Sandboxing | Run application workers within seccomp/ptrace-confined containers that disallow fork/exec syscalls to unknown binaries. |
| M1040 | Behavior Prevention on Endpoint | Deploy Cloud Detection & Response (CADR) agents that detect and prevent command injection exploitation attempts. |