Techniques
Sample rules
Suspicious Process By Web Server Process
- source: sigma
- technicques:
- t1190
- t1505
- t1505.003
Description
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Detection logic
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of
filter_main_*
filter_main_fp_1:
CommandLine|endswith: Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat
-Enode.name=RMP-NODE1 -pelasticsearch-pid.txt
ParentImage|endswith: \java.exe
filter_main_fp_2:
CommandLine|contains|all:
- sc query
- ADManager Plus
ParentImage|endswith: \java.exe
selection_anomaly_children:
Image|endswith:
- \arp.exe
- \at.exe
- \bash.exe
- \bitsadmin.exe
- \certutil.exe
- \cmd.exe
- \cscript.exe
- \dsget.exe
- \hostname.exe
- \nbtstat.exe
- \net.exe
- \net1.exe
- \netdom.exe
- \netsh.exe
- \nltest.exe
- \ntdsutil.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- \qprocess.exe
- \query.exe
- \qwinsta.exe
- \reg.exe
- \rundll32.exe
- \sc.exe
- \sh.exe
- \wmic.exe
- \wscript.exe
- \wusa.exe
selection_webserver_characteristics_tomcat1:
ParentImage|contains:
- -tomcat-
- \tomcat
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_characteristics_tomcat2:
ParentCommandLine|contains:
- CATALINA_HOME
- catalina.home
- catalina.jar
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_image:
ParentImage|endswith:
- \caddy.exe
- \httpd.exe
- \nginx.exe
- \php-cgi.exe
- \php.exe
- \tomcat.exe
- \UMWorkerProcess.exe
- \w3wp.exe
- \ws_TomcatService.exe