Techniques
Sample rules
Suspicious Command Execution via Web Server
- source: elastic
- technicques:
- T1059
- T1190
- T1505
Description
Identifies suspicious command executions via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.parent.name in (
"nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask",
"php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman",
"frankenphp", "zabbix_server", "asterisk", "sw-engine-fpm"
) or
process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or
(
process.parent.name like "ruby*" and
process.parent.command_line like~ ("*puma*", "*rails*", "*passenger*")
) or
(
process.parent.name like "python*" and
process.parent.command_line like~ (
"*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*"
)
) or
(process.parent.name like "perl*" and process.parent.command_line like~ "*plackup*") or
(
process.parent.name == "java" and (
process.parent.args like~ (
/* Tomcat */
"org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*",
/* Jetty */
"org.eclipse.jetty.start.Main", "-Djetty.home=*",
/* WildFly / JBoss */
"org.jboss.modules.Main", "-Djboss.home.dir=*",
/* WebLogic */
"weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*",
/* WebSphere traditional + Liberty */
"com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap",
/* GlassFish */
"com.sun.enterprise.glassfish.bootstrap.ASMain",
/* Resin */
"com.caucho.server.resin.Resin",
/* Spring Boot */
"org.springframework.boot.loader.*",
/* Quarkus */
"*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain",
/* Micronaut */
"io.micronaut.runtime.Micronaut",
/* Dropwizard */
"io.dropwizard.cli.ServerCommand",
/* Play */
"play.core.server.ProdServerStart",
/* Helidon */
"io.helidon.microprofile.server.Main", "io.helidon.webserver*",
/* Vert.x */
"io.vertx.core.Launcher",
/* Keycloak */
"org.keycloak*",
/* Apereo CAS */
"org.apereo.cas*",
/* Elasticsearch */
"org.elasticsearch.bootstrap.Elasticsearch",
/* Atlassian / Gerrit */
"com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon",
/* Solr */
"*-Dsolr.solr.home=*",
/* Jenkins */
"*jenkins.war*"
) or
?process.working_directory like "/u0?/*"
)
)
) and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh", "busybox") and
process.args in ("-c", "-cl", "-lc") and (
process.command_line like~ (
/* Suspicious Paths */
"* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /run/*", "* /var/run/*",
/* Encoding, Decoding & Piping */
"*|sh", "*| sh *", "*| sh ", "*|bash*", "*| bash*", "*|zsh*", "*| zsh*", "*|dash*", "*| dash*",
"*|python*", "*| python*", "*|php*", "*| php*", "*|perl*", "*| perl*", "*|ruby*", "*| ruby*",
"*|node*", "*| node*", "*|lua*", "*| lua*", "*|busybox*", "*| busybox*", "*|*base64 -d*", "*|*base64 --decode*",
"*|*base64 --decode*", "*|*openssl base64 -d*", "*xxd *", "*| openssl*enc * -d *", "*b64decode -r*",
/* Interpreter Execution */
"*python -c*", "*python3 -c*", "*php -r*", "*perl -e*", "*ruby -e*", "*lua -e*", "*node -e *",
/* Reverse Shells */
"*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", "*socat *", "*openssl*s_client *", "*stty*raw*-echo*",
"*mkfifo /tmp/*",
/* File Access */
"*>*/etc/cron*", "*crontab*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*",
"*/etc/passwd*", "*/etc/master.passwd*",
/* Enumeration & Discovery */
"*/etc/hosts*", "*/etc/resolv.conf*", "*/etc/hostname*", "*/etc/issue*", "*/etc/os-release*", "*lsb_release*",
"*/proc/*/environ*", "*sudo -l*", "*/proc/*/cgroup*", "*dockerenv*", "*/proc/*/mountinfo*", "*printenv*",
"*cat*.env *", "*getcap*", "*capsh*", "*find / *", "*netstat *",
/* AWS Credentials */
"*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
"*.aws/credentials*", "*/.aws/config*",
/* Azure Credentials */
"*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*",
"*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*",
"*/run/secrets/azure/*",
/* GCP Credentials */
"*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*",
"*client_email*", "*private_key_id*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*",
/* Misc. Cloud */
"*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*",
/* Helpers */
"*timeout *sh -c *", "*env *sh *-c*", "*exec -a*",
/* Miscellaneous */
"*chattr *", "*busybox *", "*#!*", "*chmod +x *", "*chmod 777*", "*chpasswd*",
"*<?php*?>*", "*kworker*",
/* Decompression */
"*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*",
/* Path Traversal */
"*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*",
/* File Upload/Download */
"*pastebin.com*", "*transfer.sh*", "*bashupload.com*",
/* Enumeration & Discovery */
"* id *", "* whoami *", "* hostname *"
) or
/* Keep this to not miss FNs due to spacing */
process.args in ("id", "whoami", "hostname")
) and
not (
(
process.parent.name == "nginx" and
process.args like ("chmod 777 /etc/resty-*", "resty*")
) or
(
process.parent.name == "apache2" and (
process.command_line in (
"sh -c /usr/local/bin/php -r 'echo phpversion();'", "sh -c -- /usr/local/bin/php -r 'echo phpversion();'",
"sh -c /usr/bin/php -r 'echo phpversion();'",
"sh -c /usr/bin/lsb_release -a 2>/dev/null"
) or
process.args like (
"""bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*""",
"chmod 777 /etc/cobra/uploads/mysql*", "stat*"
) or
process.command_line like (
"*/usr/bin/crontab*phpupdatecrontab.txt", "*mysqldump*/var/www/html/*/writable/uploads/backup/mysql*",
"sh -c chmod 777 -R /opt/data/www/php_upload/*/temp"
)
)
) or
(
process.parent.name like "php-fpm*" and (
process.command_line in (
"sh -c /usr/bin/php -r 'echo phpversion();'", "sh -c -- /usr/bin/php -r 'echo phpversion();'",
"sh -c php -r 'print_r(phpversion());'", "sh -c chattr -i -a /usr/local/virtualizor/license2.php",
"sh -c source /etc/os-release 2>/dev/null && echo $ID $ID_LIKE",
"sh -c php -r \"echo date('T');\"",
"sh -c php -r \"echo PHP_VERSION;\""
) or
process.command_line like (
"*var_export*extension_loaded*", "*/tmp/tmp_resize*", "*/v1/objects/hosts/*_Infoterminal*", "*python -m json.tool*",
"sh -c timeout 3600 ssh -o ControlMaster=auto -o ControlPath=/var/www/html/storage/app/ssh/mux/*"
) or
process.args like ("ps*|*grep*", "ffmpeg*")
)
) or
(
process.parent.name == "php-cgi" and (
process.command_line like (
"sh -c nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &",
"sh -c nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &",
"sh -c nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &",
"sh -c nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &",
"*-ef|grep*"
) or
process.args like "ps*| grep*"
)
) or
(
process.command_line == "/bin/sh -c echo | openssl s_client -connect localhost:61617 2>/dev/null | openssl x509 -noout -enddate" and
process.parent.name == "gunicorn"
) or
(
process.parent.executable == "/usr/local/bin/gunicorn" and
process.command_line == "/bin/sh -c echo 'Q' | openssl s_client -connect localhost:61617 2>/dev/null | openssl x509 -noout -enddate"
) or
(
process.parent.executable == "/opt/bitnami/apache/bin/httpd" and
process.command_line == "sh -c /opt/bitnami/php/bin/php -r 'echo phpversion();'"
) or
(
process.parent.executable like "/var/lib/containers/storage/overlay/*/merged/usr/local/sbin/php-fpm" and
process.command_line == "sh -c /usr/local/bin/php -r 'echo phpversion();'"
) or
(
process.parent.executable like "/var/lib/docker/overlay2/*/merged/usr/sbin/uwsgi" and
process.command_line == "/bin/sh -c { touch /run/uwsgi-logrotate }"
) or
(process.parent.name like "python*" and process.parent.command_line like "*hive_server.py*") or
(process.parent.name == "sw-engine-fpm" and process.command_line like ("*/opt/psa/admin/bin/*", "*/usr/local/psa/admin/*")) or
(process.parent.name == "httpd" and process.command_line like ("*/datastore/htdocs/control-states/compass*", "*/dev/shm/netmon-log*")) or
(process.parent.name == "asterisk" and process.args like "/bin/chmod 777 */gravacoes/*.WAV") or
(process.parent.name == "nginx" and process.command_line like "sh -c gcc -print-multiarch 2>/dev/null > /tmp/lua_*") or
(process.parent.name == "varnishd" and process.args like "exec gcc*") or
(process.parent.name == "zabbix_server" and process.command_line like "*/usr/sbin/sendmail*") or
(process.parent.executable == "/opt/morpheus/embedded/java/jre/bin/java" and process.command_line like "*morpheus-local*") or
(
process.parent.name == "ruby" and
process.command_line in (
"sh -c echo \"^d\" | openssl s_client -connect 127.0.0.1:443 2>&1",
"sh -c cat /etc/hosts.allow 2>/dev/null"
)
) or
(process.parent.name == "java" and process.args like "chmod 777 *.csv") or
process.command_line == "sh -c node -v || nodejs -v" or
process.working_directory == "/var/lib/puppet/rack/puppetmasterd"
)
Suspicious Child Execution via Web Server
- source: elastic
- technicques:
- T1059
- T1190
- T1505
Description
Identifies suspicious child processes executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.parent.name in (
"nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask",
"php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman",
"frankenphp", "zabbix_server", "asterisk", "sw-engine-fpm"
) or
process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or
(
process.parent.name like "ruby*" and
process.parent.command_line like~ ("*puma*", "*rails*", "*passenger*")
) or
(
process.parent.name like "python*" and
process.parent.command_line like~ (
"*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*"
)
) or
(process.parent.name like "perl*" and process.parent.command_line like~ "*plackup*") or
(
process.parent.name == "java" and (
process.parent.args like~ (
/* Tomcat */
"org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*",
/* Jetty */
"org.eclipse.jetty.start.Main", "-Djetty.home=*",
/* WildFly / JBoss */
"org.jboss.modules.Main", "-Djboss.home.dir=*",
/* WebLogic */
"weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*",
/* WebSphere traditional + Liberty */
"com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap",
/* GlassFish */
"com.sun.enterprise.glassfish.bootstrap.ASMain",
/* Resin */
"com.caucho.server.resin.Resin",
/* Spring Boot */
"org.springframework.boot.loader.*",
/* Quarkus */
"*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain",
/* Micronaut */
"io.micronaut.runtime.Micronaut",
/* Dropwizard */
"io.dropwizard.cli.ServerCommand",
/* Play */
"play.core.server.ProdServerStart",
/* Helidon */
"io.helidon.microprofile.server.Main", "io.helidon.webserver*",
/* Vert.x */
"io.vertx.core.Launcher",
/* Keycloak */
"org.keycloak*",
/* Apereo CAS */
"org.apereo.cas*",
/* Elasticsearch */
"org.elasticsearch.bootstrap.Elasticsearch",
/* Atlassian / Gerrit */
"com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon",
/* Solr */
"*-Dsolr.solr.home=*",
/* Jenkins */
"*jenkins.war*"
) or
?process.working_directory like "/u0?/*"
)
)
) and (
process.executable like (
"/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/run/*", "/var/run/*", "/boot/*", "/sys/*", "/lost+found/*",
"/proc/*", "/var/mail/*", "/var/www/*", "/home/*/*", "/root/*"
) or
process.name like~ (
// Hidden processes
".*",
// Suspicious file formats
"*.elf", "*.sh", "*.py", "*.rb", "*.pl", "*.lua*", "*.php*", ".js", "*.bin", "*.jar", "*.mjs",
// Network utilities often used for reverse shells
"nc", "netcat", "ncat", "telnet", "socat", "openssl", "nc.openbsd", "ngrok", "nc.traditional",
// Cloud CLI
"az", "gcloud", "aws", "kubectl", "helm", "docker", "ctr", "crictl",
// Misc. tools
"whoami", "ifconfig", "ip", "ss", "top", "htop", "df", "du", "lsblk", "lsof", "tcpdump",
"strace", "ltrace", "curl", "wget", "dig", "nslookup", "host", "nmap", "arp", "traceroute",
"cat", "touch", "cp", "mv", "rm", "mkdir", "ln", "chmod", "sudo", "xxd", "base64", "basez",
"base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "chpasswd",
"passwd"
)
)
Potential Shell via Web Server
- source: elastic
- technicques:
- T1505
Description
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Detection logic
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and
process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data")