Info
ID: AT-PE002.001
Sub-technique of: Injection Exploitations
Tactic: Payload Execution
Platforms: Linux, macOS, Windows
Data Sources: Application Logs, Process Monitoring, Command History, System Call Monitoring
Supports Remote: Yes
Version: 1.0
OS Command Injection
OS Command Injection is a critical injection vulnerability that occurs when an application passes unsafe user-supplied data to a system shell. Within the Payload Execution phase, this sub-technique enables attackers to execute arbitrary operating system commands on the host system with the same privileges as the vulnerable application. Unlike other injection types that manipulate application data flow, command injection allows direct interaction with the underlying operating system, providing attackers with a powerful vector to establish persistence, elevate privileges, access sensitive information, or pivot to other systems within the network. Attackers typically exploit this vulnerability by injecting shell metacharacters (such as semicolons, pipes, ampersands) or command terminators into input fields, URL parameters, HTTP headers, or file uploads that are subsequently processed by server-side functions like system(), exec(), popen(), or their language-specific equivalents. The impact of successful command injection is severe, as it bypasses application-level controls and directly compromises the operating system security boundary.
Data Sources
- Application Logs: Command execution logs and injection attempt traces
- Process Monitoring: Process creation and execution resulting from injected commands
- Command History: System command history and shell activity logs
- System Call Monitoring: System calls related to command execution and shell spawning
Detection
Monitor for command injection attempts, unusual command execution patterns, and shell metacharacter usage. Detection strategies include:
- Command Pattern Analysis: Track command execution patterns for injection indicators and metacharacter usage
- Input Validation Monitoring: Monitor for shell metacharacters and command terminators in user inputs
- Process Execution Analysis: Analyze spawned processes for suspicious command execution patterns
- Application Behavior Monitoring: Monitor for unexpected system interactions and command execution
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Input Validation | Implement strict input validation and sanitization for command parameters |
| M1038 | Execution Prevention | Use parameterized commands and avoid shell command execution where possible |
| M1048 | Application Isolation and Sandboxing | Implement sandboxing and least privilege for applications executing system commands |