Deprecated - Unusual Command Execution from Web Server Parent

This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/03/04"
  3deprecation_date = "2026/07/02"
  4deprecated_reason = "The rule logic is flawed and does not correctly identify the processes that are executed from a web server parent process. It is not a general purpose rule and is not recommended for use."
  5integration = ["endpoint"]
  6maturity = "deprecated"
  7updated_date = "2026/07/02"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt
 13to execute commands from a web server parent process to blend in with normal web server activity and evade detection.
 14This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute
 15arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent
 16processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its
 17alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 18"""
 19from = "now-61m"
 20interval = "1h"
 21language = "esql"
 22license = "Elastic License v2"
 23name = "Deprecated - Unusual Command Execution from Web Server Parent"
 24note = """ ## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Deprecated - Unusual Command Execution from Web Server Parent
 30
 31Web servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.
 32
 33### Possible investigation steps
 34
 35- Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.
 36- Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.
 37- Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.
 38- Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.
 39- Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.
 40- Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.
 41
 42### False positive analysis
 43
 44- Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.
 45- Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.
 46- Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.
 47- Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.
 48- Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.
 49
 50### Response and remediation
 51
 52- Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.
 53
 54- Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.
 55
 56- Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.
 57
 58- Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.
 59
 60- Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.
 61
 62- Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.
 63
 64- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.
 65"""
 66risk_score = 21
 67rule_id = "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d"
 68setup = """## Setup
 69
 70This rule requires data coming in from Elastic Defend.
 71
 72### Elastic Defend Integration Setup
 73Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 74
 75#### Prerequisite Requirements:
 76- Fleet is required for Elastic Defend.
 77- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 78
 79#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 80- Go to the Kibana home page and click "Add integrations".
 81- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 82- Click "Add Elastic Defend".
 83- Configure the integration name and optionally add a description.
 84- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 85- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 86- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 87- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 88For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 89- Click "Save and Continue".
 90- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 91For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 92"""
 93severity = "low"
 94tags = [
 95    "Domain: Endpoint",
 96    "OS: Linux",
 97    "Use Case: Threat Detection",
 98    "Tactic: Persistence",
 99    "Tactic: Execution",
100    "Tactic: Command and Control",
101    "Data Source: Elastic Defend",
102    "Resources: Investigation Guide",
103]
104timestamp_override = "event.ingested"
105type = "esql"
106
107query = '''
108from logs-endpoint.events.process-* metadata _id, _index, _version
109| mv_expand event.action
110| where
111    host.os.type == "linux" and
112    event.type == "start" and
113    event.action == "exec" and (
114      (
115        process.parent.name in (
116            "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "mongrel_rails", "gunicorn",
117            "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
118            "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", "php-cgi",
119            "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl"
120        ) or
121        process.parent.name like "php-fpm*" or
122        user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or
123        user.id in ("33", "498", "48") or
124        (process.parent.name == "java" and process.parent.working_directory like "/u0?/*") or
125        process.parent.working_directory like "/var/www/*"
126      )
127    ) and
128    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
129    process.command_line like "* -c *" and not (
130        process.working_directory like "/home/*" or
131        process.working_directory == "/" or
132        process.working_directory like "/vscode/vscode-server/*" or
133        process.parent.executable like "/vscode/vscode-server/*" or
134        process.parent.executable == "/usr/bin/xfce4-terminal"
135    )
136
137| keep
138    @timestamp,
139    _id,
140    _index,
141    _version,
142    host.os.type,
143    event.type,
144    event.action,
145    process.parent.name,
146    user.name,
147    user.id,
148    process.working_directory,
149    process.parent.working_directory,
150    process.name,
151    process.executable,
152    process.command_line,
153    process.parent.executable,
154    agent.id,
155    host.name,
156    data_stream.dataset,
157    data_stream.namespace
158
159| stats
160    Esql.event_count = count(),
161    Esql.agent_id_count_distinct = count_distinct(agent.id),
162    Esql.host_name_values = values(host.name),
163    Esql.agent_id_values = values(agent.id),
164    Esql.data_stream_dataset_values = values(data_stream.dataset),
165    Esql.data_stream_namespace_values = values(data_stream.namespace)
166
167  by process.command_line, process.working_directory, process.parent.executable
168
169| where
170    Esql.agent_id_count_distinct == 1 and
171    Esql.event_count < 5
172| sort Esql.event_count asc
173
174// Extract unique values to ECS fields for alerts exclusion
175| eval agent.id = mv_min(Esql.agent_id_values),
176       host.name = mv_min(Esql.host_name_values)
177
178| keep agent.id, host.name, process.command_line, process.working_directory, process.parent.executable, Esql.*
179'''
180
181
182[[rule.threat]]
183framework = "MITRE ATT&CK"
184[[rule.threat.technique]]
185id = "T1505"
186name = "Server Software Component"
187reference = "https://attack.mitre.org/techniques/T1505/"
188[[rule.threat.technique.subtechnique]]
189id = "T1505.003"
190name = "Web Shell"
191reference = "https://attack.mitre.org/techniques/T1505/003/"
192
193
194
195[rule.threat.tactic]
196id = "TA0003"
197name = "Persistence"
198reference = "https://attack.mitre.org/tactics/TA0003/"
199[[rule.threat]]
200framework = "MITRE ATT&CK"
201[[rule.threat.technique]]
202id = "T1059"
203name = "Command and Scripting Interpreter"
204reference = "https://attack.mitre.org/techniques/T1059/"
205[[rule.threat.technique.subtechnique]]
206id = "T1059.004"
207name = "Unix Shell"
208reference = "https://attack.mitre.org/techniques/T1059/004/"
209
210
211
212[rule.threat.tactic]
213id = "TA0002"
214name = "Execution"
215reference = "https://attack.mitre.org/tactics/TA0002/"
216[[rule.threat]]
217framework = "MITRE ATT&CK"
218[[rule.threat.technique]]
219id = "T1071"
220name = "Application Layer Protocol"
221reference = "https://attack.mitre.org/techniques/T1071/"
222
223
224[rule.threat.tactic]
225id = "TA0011"
226name = "Command and Control"
227reference = "https://attack.mitre.org/tactics/TA0011/"
228[[rule.threat]]
229framework = "MITRE ATT&CK"
230[[rule.threat.technique]]
231id = "T1190"
232name = "Exploit Public-Facing Application"
233reference = "https://attack.mitre.org/techniques/T1190/"
234
235
236[rule.threat.tactic]
237id = "TA0001"
238name = "Initial Access"
239reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Deprecated - Unusual Command Execution from Web Server Parent

Web servers, such as Apache or Nginx, are crucial for hosting web applications, often running on Linux systems. Adversaries exploit vulnerabilities in these servers to execute arbitrary commands, typically through web shells, blending malicious activity with legitimate server processes. The detection rule identifies suspicious command executions originating from web server processes, focusing on unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises.

Possible investigation steps

  • Review the process.command_line field to understand the specific command executed and assess its legitimacy or potential malicious intent.
  • Examine the process.working_directory to determine if the command was executed from an unusual or suspicious directory, which could indicate a compromise.
  • Check the process.parent.executable and process.parent.name fields to identify the parent process and verify if it is a known web server or related service that could be exploited.
  • Investigate the user.name and user.id fields to confirm if the command was executed by a legitimate user or service account, or if it was potentially executed by an unauthorized user.
  • Correlate the @timestamp with other logs and events to identify any related activities or anomalies occurring around the same time, which could provide additional context or evidence of an attack.
  • Assess the agent.id to determine if the alert is isolated to a single host or if similar activities are observed across multiple hosts, indicating a broader issue.

False positive analysis

  • Web development or testing environments may frequently execute commands from web server processes. To handle this, exclude specific working directories like /var/www/dev or /var/www/test from the rule.
  • Automated scripts or cron jobs running under web server user accounts can trigger alerts. Identify these scripts and add exceptions for their specific command lines or user IDs.
  • Legitimate administrative tasks performed by web server administrators might appear suspicious. Document these tasks and exclude their associated command lines or parent executables.
  • Continuous integration or deployment processes that involve web server interactions can be mistaken for threats. Exclude known CI/CD tool command lines or working directories from the rule.
  • Monitoring or logging tools that interact with web server processes may generate false positives. Identify these tools and exclude their specific process names or parent executables.

Response and remediation

  • Isolate the affected host immediately to prevent further malicious activity and lateral movement within the network. This can be done by removing the host from the network or applying network segmentation.

  • Terminate any suspicious processes identified by the detection rule, especially those originating from web server parent processes executing shell commands. Use process IDs and command lines from the alert to target specific processes.

  • Conduct a thorough review of the web server logs and application logs to identify any unauthorized access or modifications. Look for patterns that match the command execution detected and any other anomalies.

  • Patch the web server and any associated applications to address known vulnerabilities that may have been exploited. Ensure that all software is up to date with the latest security patches.

  • Restore the affected system from a known good backup if any unauthorized changes or persistent threats are detected. Ensure that the backup is free from compromise before restoration.

  • Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior. Enhance logging and alerting to capture more detailed information about process executions and network connections.

  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. Provide them with all relevant data and findings from the initial containment and remediation steps.

Related rules

to-top