Techniques
Sample rules
Web Shell Detection: Script Process Child of Common Web Processes
- source: elastic
- technicques:
- T1047
- T1059
- T1190
- T1505
Description
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Detection logic
host.os.type:windows and event.category:process and event.type:start and process.args : * and
process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe" or "ArcSOC.exe") and
(
process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
) and
not
(
process.command_line : (
"cmd.exe /c mode CON" or
"cmd.exe /s /c \"mode CON\"" or
"cmd.exe /c \"mode\"" or
"cmd.exe /s /c \"tput colors 2>&1\"" or
"cmd.exe /s /c \"stty 2> NUL\"" or
"cmd.exe /s /c \"stty 2>&1\"" or
"cmd.exe /c \"stty 2>&1\"" or
"cmd.exe /s /c \"ipconfig /all 2>&1\"" or
"cmd.exe /s /c \"echo '%os%'\"" or
*.\\install\\awk.exe*
) or
process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or
(process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or
(process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or
(process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or
(process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or
(process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or
(process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON"))
)