Techniques
Sample rules
Potential Shell via Web Server
- source: elastic
- technicques:
- T1505
Description
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Detection logic
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and
process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data")
Potential Remote Code Execution via Web Server
- source: elastic
- technicques:
- T1190
- T1505
Description
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.
Detection logic
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event") and process.parent.executable : (
"/usr/sbin/nginx", "/usr/local/sbin/nginx",
"/usr/sbin/apache", "/usr/local/sbin/apache",
"/usr/sbin/apache2", "/usr/local/sbin/apache2",
"/usr/sbin/php*", "/usr/local/sbin/php*",
"/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
"/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
"/usr/local/bin/caddy",
"/usr/local/lsws/bin/lswsctrl",
"*/bin/catalina.sh"
) and
process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc",
"netcat", "ncat", "telnet", "awk", "socat"
) and process.args : (
"whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd", "ls", "cd", "python*", "php*", "perl",
"ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "socat"
) and not process.name == "phpquery"