AWS WAF | WindowsShellcommand Rule unable to find a matchedData

The behavior you're seeing with the WindowsShellCommands_BODY rule being triggered but showing null matchedData in the logs is expected in certain situations.

The WindowsShellCommands_BODY rule is designed to inspect request bodies for Windows shell command injection attempts, looking for patterns like ||nslookup and ;cmd. This rule is part of the Windows operating system managed rule group in AWS WAF.

When this rule triggers but shows null matchedData in logs, there are a few possible explanations:

1. The rule might be detecting patterns that it's configured to identify, but the logging system doesn't always capture the specific matched data in all scenarios.

2. The rule is inspecting the request body up to a certain size limit (16 KB by default for most services, with the ability to increase up to 64 KB for certain resource types). If the content is oversized, the rule uses the "Continue" option for handling, which might affect how matched data is reported.

3. If you're using an action override (like setting the rule to "Count" instead of "Block"), this could affect how the matched data is reported in logs.

This is standard behavior for some AWS WAF rules, particularly managed rules. If you need more detailed information about what's triggering the rule, you could:

1. Temporarily set the rule to "Count" mode to observe the traffic without blocking it
2. Implement more granular logging
3. Create a custom rule with similar patterns to see if you can capture more specific match data

No modification is necessarily required if the rule is functioning as intended by blocking malicious requests.
Sources
Use-case specific rule groups - AWS WAF, AWS Firewall Manager, AWS Shield Advanced, and AWS Shield network security director
OverrideAction - AWS WAFV2