Techniques
Sample rules
Linux Webshell Indicators
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects suspicious sub processes of web server processes
Detection logic
condition: 1 of selection_* and sub_processes
selection_general:
ParentImage|endswith:
- /httpd
- /lighttpd
- /nginx
- /apache2
- /node
- /caddy
selection_tomcat:
ParentCommandLine|contains|all:
- /bin/java
- tomcat
selection_websphere:
ParentCommandLine|contains|all:
- /bin/java
- websphere
sub_processes:
Image|endswith:
- /whoami
- /ifconfig
- /ip
- /bin/uname
- /bin/cat
- /bin/crontab
- /hostname
- /iptables
- /netstat
- /pwd
- /route