Techniques
Sample rules
Detect Webshell Exploit Behavior
- source: splunk
- technicques:
- T1505
- T1505.003
Description
The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like cmd.exe, powershell.exe, or bash.exe are spawned by web server processes such as w3wp.exe or nginx.exe. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a webshell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.
Detection logic
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe", "dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","ksh.exe","nbstat.exe", "net.exe","net1.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","pathping.exe", "ping.exe","powershell.exe","pwsh.exe","qprocess.exe","query.exe","qwinsta.exe","reg.exe","rundll32.exe","sc.exe", "scrcons.exe","schtasks.exe","sh.exe","systeminfo.exe","tasklist.exe","tracert.exe","ver.exe","vssadmin.exe", "wevtutil.exe","whoami.exe","wmic.exe","wscript.exe","wusa.exe","zsh.exe") AND Processes.parent_process_name IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_webshell_exploit_behavior_filter`