Deprecated - Unusual Process Spawned from Web Server Parent

This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/03/04"
  3deprecation_date = "2026/07/02"
  4deprecated_reason = "The rule logic is flawed and does not correctly identify the processes that are spawned from a web server parent process. It is not a general purpose rule and is not recommended for use."
  5integration = ["endpoint"]
  6maturity = "deprecated"
  7updated_date = "2026/07/02"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of
 13process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish
 14persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have
 15limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation
 16of this alert.
 17"""
 18from = "now-61m"
 19interval = "1h"
 20language = "esql"
 21license = "Elastic License v2"
 22name = "Deprecated - Unusual Process Spawned from Web Server Parent"
 23note = """ ## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Deprecated - Unusual Process Spawned from Web Server Parent
 29
 30Web servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.
 31
 32### Possible investigation steps
 33
 34- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.
 35- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.
 36- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.
 37- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.
 38- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.
 39- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.
 40
 41### False positive analysis
 42
 43- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.
 44- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.
 45- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.
 46- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.
 47- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.
 52- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.
 53- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.
 54- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.
 55- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.
 56- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
 58"""
 59risk_score = 21
 60rule_id = "976b2391-413f-4a94-acb4-7911f3803346"
 61setup = """## Setup
 62
 63This rule requires data coming in from Elastic Defend.
 64
 65### Elastic Defend Integration Setup
 66Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 67
 68#### Prerequisite Requirements:
 69- Fleet is required for Elastic Defend.
 70- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 71
 72#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 73- Go to the Kibana home page and click "Add integrations".
 74- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 75- Click "Add Elastic Defend".
 76- Configure the integration name and optionally add a description.
 77- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 78- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 79- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 80- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 81For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 82- Click "Save and Continue".
 83- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 84For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 85"""
 86severity = "low"
 87tags = [
 88    "Domain: Endpoint",
 89    "OS: Linux",
 90    "Use Case: Threat Detection",
 91    "Tactic: Persistence",
 92    "Tactic: Execution",
 93    "Tactic: Command and Control",
 94    "Data Source: Elastic Defend",
 95    "Resources: Investigation Guide",
 96]
 97timestamp_override = "event.ingested"
 98type = "esql"
 99
100query = '''
101from logs-endpoint.events.process-* metadata _id, _index, _version
102| mv_expand event.action
103| where
104    host.os.type == "linux" and
105    event.type == "start" and
106    event.action == "exec" and (
107      (
108        process.parent.name in (
109            "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "mongrel_rails", "gunicorn",
110            "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
111            "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", "php-cgi",
112            "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl"
113        ) or
114        process.parent.name like "php-fpm*" or
115        user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or
116        user.id in ("33", "498", "48") or
117        (process.parent.name == "java" and process.parent.working_directory like "/u0?/*") or
118        process.parent.working_directory like "/var/www/*"
119      )
120    ) and (
121        process.name in (
122          "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat", "openssl", "busybox",
123          "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "nohup", "setsid", "mkfifo", "mknod",
124          "node", "socket"
125        ) or
126        process.name like "python*" or
127        process.name like "php*" or
128        process.name like "perl" or
129        process.name like "ruby*" or
130        process.name like "lua*" or
131        process.executable like "/tmp/*" or
132        process.executable like "/var/tmp/*" or
133        process.executable like "/dev/shm/*" or
134        process.executable like "/var/log/*" or
135        process.executable like "/sys/*" or
136        process.executable like "/media/*" or
137        process.executable like "/proc/*" or
138        process.executable like "/var/backups/*" or
139        process.executable like "/var/mail/*" or
140        process.executable like "/var/spool/*" or
141        process.executable like "/var/www/*" or
142        process.executable like "./*" or
143        process.name like ".*"
144    ) and    
145    not (
146        process.working_directory like "/home/*" or
147        process.working_directory == "/" or
148        process.working_directory like "/var/www/*.ch" or
149        process.parent.executable like "/vscode/vscode-server/*"
150    )
151
152| keep
153    @timestamp,
154    _id,
155    _index,
156    _version,
157    host.os.type,
158    event.type,
159    event.action,
160    process.parent.name,
161    user.name,
162    user.id,
163    process.working_directory,
164    process.parent.working_directory,
165    process.name,
166    process.executable,
167    process.command_line,
168    process.parent.executable,
169    agent.id,
170    host.name,
171    data_stream.dataset,
172    data_stream.namespace
173
174| stats
175    Esql.event_count = count(),
176    Esql.agent_id_count_distinct = count_distinct(agent.id),
177    Esql.host_name_values = values(host.name),
178    Esql.agent_id_values = values(agent.id),
179    Esql.data_stream_dataset_values = values(data_stream.dataset),
180    Esql.data_stream_namespace_values = values(data_stream.namespace)
181
182    by process.executable, process.working_directory, process.parent.executable
183
184| where
185    Esql.agent_id_count_distinct == 1 and
186    Esql.event_count < 5
187| sort Esql.event_count asc
188
189// Extract unique values to ECS fields for alerts exclusion
190| eval agent.id = mv_min(Esql.agent_id_values),
191       host.name = mv_min(Esql.host_name_values)
192
193| keep agent.id, host.name, process.executable, process.working_directory, process.parent.executable, Esql.*
194'''
195
196
197[[rule.threat]]
198framework = "MITRE ATT&CK"
199[[rule.threat.technique]]
200id = "T1505"
201name = "Server Software Component"
202reference = "https://attack.mitre.org/techniques/T1505/"
203[[rule.threat.technique.subtechnique]]
204id = "T1505.003"
205name = "Web Shell"
206reference = "https://attack.mitre.org/techniques/T1505/003/"
207
208
209
210[rule.threat.tactic]
211id = "TA0003"
212name = "Persistence"
213reference = "https://attack.mitre.org/tactics/TA0003/"
214[[rule.threat]]
215framework = "MITRE ATT&CK"
216[[rule.threat.technique]]
217id = "T1059"
218name = "Command and Scripting Interpreter"
219reference = "https://attack.mitre.org/techniques/T1059/"
220[[rule.threat.technique.subtechnique]]
221id = "T1059.004"
222name = "Unix Shell"
223reference = "https://attack.mitre.org/techniques/T1059/004/"
224
225[[rule.threat.technique.subtechnique]]
226id = "T1059.006"
227name = "Python"
228reference = "https://attack.mitre.org/techniques/T1059/006/"
229
230[[rule.threat.technique.subtechnique]]
231id = "T1059.007"
232name = "JavaScript"
233reference = "https://attack.mitre.org/techniques/T1059/007/"
234
235[[rule.threat.technique.subtechnique]]
236id = "T1059.011"
237name = "Lua"
238reference = "https://attack.mitre.org/techniques/T1059/011/"
239
240
241
242[rule.threat.tactic]
243id = "TA0002"
244name = "Execution"
245reference = "https://attack.mitre.org/tactics/TA0002/"
246[[rule.threat]]
247framework = "MITRE ATT&CK"
248[[rule.threat.technique]]
249id = "T1071"
250name = "Application Layer Protocol"
251reference = "https://attack.mitre.org/techniques/T1071/"
252
253
254[rule.threat.tactic]
255id = "TA0011"
256name = "Command and Control"
257reference = "https://attack.mitre.org/tactics/TA0011/"
258[[rule.threat]]
259framework = "MITRE ATT&CK"
260[[rule.threat.technique]]
261id = "T1190"
262name = "Exploit Public-Facing Application"
263reference = "https://attack.mitre.org/techniques/T1190/"
264
265
266[rule.threat.tactic]
267id = "TA0001"
268name = "Initial Access"
269reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Deprecated - Unusual Process Spawned from Web Server Parent

Web servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.

Possible investigation steps

  • Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.
  • Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.
  • Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.
  • Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.
  • Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.
  • Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.

False positive analysis

  • Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.
  • Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.
  • Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.
  • Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.
  • Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.

Response and remediation

  • Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.
  • Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.
  • Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.
  • Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.
  • Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.
  • Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.

Related rules

to-top