LetsDefend SOC168 – Command Injection (whoami) Web Attack Analysis
Alert Name: SOC168 – Whoami Command Detected in Request Body
Severity: High
Event ID: 118
Event Time: Feb 28, 2022, 04:12 AM
Category: Web Attack
Play Book 1. Alert Overview A high-severity web attack alert was triggered on WebServer1004 due to the detection of the whoami command within the HTTP request body. This behavior is commonly associated with command injection attempts, where an attacker tries to execute system-level commands through a web application.