Techniques
Sample rules
Web Shell Detection: Script Process Child of Common Web Processes
- source: elastic
- technicques:
- T1047
- T1059
- T1190
- T1505
Description
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Detection logic
host.os.type:windows and event.category:process and event.type:start and process.args : * and
process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe") and
(
process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
) and
not
(
process.command_line : (
"cmd.exe /c mode CON" or
"cmd.exe /s /c \"mode CON\"" or
"cmd.exe /c \"mode\"" or
"cmd.exe /s /c \"tput colors 2>&1\"" or
"cmd.exe /s /c \"stty 2> NUL\"" or
"cmd.exe /s /c \"stty 2>&1\"" or
"cmd.exe /c \"stty 2>&1\"" or
"cmd.exe /s /c \"ipconfig /all 2>&1\"" or
"cmd.exe /s /c \"echo '%os%'\"" or
*.\\install\\awk.exe*
) or
process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir)
)