Enabling OS Command Injection Detection

Starting with release 2.0, .NET and .NET Core agents support tCell command injection. Command injection detection and blocking is implemented via the .NET Profiling API, https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/. Below are the steps needed to enable command injection detection and blocking for .NET and .NET Core applications.

Note: OS command injection is currently only supported on Windows .NET and .NET Core applications.

Prerequisites

tCell command injection uses the .NET Profiling API, which can cause conflicts with other tools, such as New Relic Thread Profiler, that also use the same API. Therefore, before you enable tCell command injection for .NET, you should disable other profiling tools that are dependent on the .NET Profiling API.

Enabling Command Injection for .NET Applications

To enable command injection on .NET applications, choose the “Code Instrumentation (experimental)” option from the .NET Installer. This will automatically set the appropriate environment variables for the IIS process. To learn more about .NET environment variables, please read https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/setting-up-a-profiling-environment.

Enabling Command Injection for .NET Core Applications

tCell command injection for .NET Core applications is installed via the standard .NET NuGet package manager. For more information on NuGet, please read https://www.nuget.org/.

Install the Package

Use the dotnet CLI run the following command:

1
dotnet add package Tcell.Agent.Profiler

Set the Environment Variables

Set the appropriate .NET Profiling environment variables:

1
CORECLR_ENABLE_PROFILING=1
2
CORECLR_PROFILER={D6918074-AE72-472C-AED8-BEBFC6FDA1CC}
3
CORECLR_PROFILER_PATH=C:\app\Tcell.Profiler.dll // this is the path to
4
// the Tcell.Profiler.dll

To learn more about .NET profiling variable behavior, read https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/setting-up-a-profiling-environment.

Profiling Scope

.NET environment variables can be configured a variety of ways, and the configuration mechanism can impact not only the tCell agent, but other applications and tools deployed on a given .NET System. To learn more about this behavior, read https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/setting-up-a-profiling-environment#environment-variable-scope. If you plan to use tCell command injection, we strongly recommend you review the .NET Profiling documentation and plan your deployments accordingly.