GEN:SID | 1:494 |
Message | ATTACK-RESPONSES command completed |
Summary | This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.
|
Impact | Serious. An attacker may have the ability to execute commands remotely
|
Detailed Information | This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com).
Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker.
|
Affected Systems | |
Attack Scenarios | An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands.
|
Ease of Attack | Simple. This post-attack behavior can accompany different attacks.
|
Corrective Action | Investigate the web server for signs of compromise.
Look for other IDS events involving the same IP addresses.
|
Additional References | Microsoft Technet: http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp
|
Rule References | bugtraq: 1806
|