(Writeup) LetsDefend EventID: 118 - [SOC168 - Whoami Command Detected in Request Body]
Investigating a command injection alert after POST requests containing system commands targeted a web endpoint, validating attacker IP reputation and analyzing HTTP response behavior, confirming successful command execution through response size variation, and initiating containment and escalation due to a confirmed web shell.