security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.

t1047
t1059
t1190
t1505
windows
elastic

Techniques

T1047
T1059
T1190
T1505

Sample rules

Web Shell Detection: Script Process Child of Common Web Processes

source: elastic
technicques:
- T1047
- T1059
- T1190
- T1505

Description

Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and
  process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and
  not 
  (
    process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and
    process.command_line : (
      "cmd.exe /c mode CON",
      "cmd.exe /s /c \"mode CON\"",
      "cmd.exe /c \"mode\"",
      "cmd.exe /s /c \"tput colors 2>&1\""
    )
  )