Web Server Child Shell Spawn Detected via Defend for Containers

  1[metadata]
  2creation_date = "2026/02/06"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/02/06"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the exploitation of a web server through the execution of a suspicious process by common web server
 13user accounts. Attackers may upload a web shell to a web server to maintain access to the system.
 14"""
 15from = "now-6m"
 16index = ["logs-cloud_defend.process*"]
 17interval = "5m"
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Web Server Child Shell Spawn Detected via Defend for Containers"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Web Server Child Shell Spawn Detected via Defend for Containers
 27
 28This rule flags Linux container activity where a web server (or typical web-service account) spawns an interactive shell to run a command string, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell).
 29
 30### Possible investigation steps
 31
 32- Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior.  
 33- Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation.  
 34- Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs.  
 35- Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise.  
 36- Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure.
 37
 38### False positive analysis
 39
 40- A web application or server-side script running under the web-service account legitimately invokes `sh -c` (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as `/var/www/*`, causing the web server to spawn a shell child process.  
 41- During container startup or a deployment/health-check routine, the web server process launches a shell via `sh -c` to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further `sh -c` execution and potential C2.  
 46- Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories.  
 47- Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys).  
 48- Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads.  
 49- Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces.  
 50- Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint."""
 51risk_score = 47
 52rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852"
 53severity = "medium"
 54tags = [
 55    "Data Source: Elastic Defend for Containers",
 56    "Domain: Container",
 57    "OS: Linux",
 58    "Use Case: Threat Detection",
 59    "Tactic: Persistence",
 60    "Tactic: Execution",
 61    "Tactic: Command and Control",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
 68  process.parent.name in (
 69      "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "mongrel_rails", "gunicorn",
 70      "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
 71      "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", "php-cgi",
 72      "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl"
 73  ) or
 74  process.parent.name like "php-fpm*" or
 75  user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or
 76  user.id in ("33", "498", "48") or
 77  (process.parent.name == "java" and process.parent.working_directory like "/u0?/*") or
 78  process.parent.working_directory like "/var/www/*"
 79) and (
 80  (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox")) or
 81  (process.args in (
 82    "bash", "/bin/bash", "/usr/bin/bash", "/usr/local/bin/bash",
 83    "dash", "/bin/dash", "/usr/bin/dash", "/usr/local/bin/dash",
 84    "sh", "/bin/sh", "/usr/bin/sh", "/usr/local/bin/sh",
 85    "tcsh", "/bin/tcsh", "/usr/bin/tcsh", "/usr/local/bin/tcsh",
 86    "csh", "/bin/csh", "/usr/bin/csh", "/usr/local/bin/csh",
 87    "zsh", "/bin/zsh", "/usr/bin/zsh", "/usr/local/bin/zsh",
 88    "ksh", "/bin/ksh", "/usr/bin/ksh", "/usr/local/bin/ksh",
 89    "fish", "/bin/fish", "/usr/bin/fish", "/usr/local/bin/fish",
 90    "busybox", "/bin/busybox", "/usr/bin/busybox", "/usr/local/bin/busybox"
 91  ))
 92) and process.args == "-c" and container.id like "?*"
 93'''
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97
 98[rule.threat.tactic]
 99name = "Persistence"
100id = "TA0003"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102
103[[rule.threat.technique]]
104id = "T1505"
105name = "Server Software Component"
106reference = "https://attack.mitre.org/techniques/T1505/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1505.003"
110name = "Web Shell"
111reference = "https://attack.mitre.org/techniques/T1505/003/"
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115
116[rule.threat.tactic]
117name = "Execution"
118id = "TA0002"
119reference = "https://attack.mitre.org/tactics/TA0002/"
120
121[[rule.threat.technique]]
122id = "T1059"
123name = "Command and Scripting Interpreter"
124reference = "https://attack.mitre.org/techniques/T1059/"
125
126[[rule.threat.technique.subtechnique]]
127id = "T1059.004"
128name = "Unix Shell"
129reference = "https://attack.mitre.org/techniques/T1059/004/"
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133
134[rule.threat.tactic]
135name = "Command and Control"
136id = "TA0011"
137reference = "https://attack.mitre.org/tactics/TA0011/"
138
139[[rule.threat.technique]]
140name = "Application Layer Protocol"
141id = "T1071"
142reference = "https://attack.mitre.org/techniques/T1071/"