Web Server Exploitation Detected via Defend for Containers

  1[metadata]
  2creation_date = "2026/02/06"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/03/05"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the exploitation of a web server through the execution of a suspicious process by common web server
 13user accounts. Attackers may upload a web shell to a web server to maintain access to the system.
 14"""
 15from = "now-6m"
 16index = ["logs-cloud_defend.process*"]
 17interval = "5m"
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Web Server Exploitation Detected via Defend for Containers"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Web Server Exploitation Detected via Defend for Containers
 27
 28This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell).
 29
 30### Possible investigation steps
 31
 32- Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior.  
 33- Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation.  
 34- Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs.  
 35- Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise.  
 36- Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure.
 37
 38### False positive analysis
 39
 40- A web application or server-side script running under the web-service account legitimately invokes `sh -c` (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as `/var/www/*`, causing the web server to spawn a shell child process.  
 41- During container startup or a deployment/health-check routine, the web server process launches a shell via `sh -c` to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further `sh -c` execution and potential C2.  
 46- Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories.  
 47- Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys).  
 48- Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads.  
 49- Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces.  
 50- Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint."""
 51risk_score = 73
 52rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852"
 53severity = "high"
 54tags = [
 55    "Data Source: Elastic Defend for Containers",
 56    "Domain: Container",
 57    "OS: Linux",
 58    "Use Case: Threat Detection",
 59    "Tactic: Persistence",
 60    "Tactic: Execution",
 61    "Tactic: Command and Control",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and
 68container.id like "?*" and (
 69  process.parent.name in (
 70    "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask",
 71    "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman"
 72  ) or
 73  process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or
 74  (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or
 75  (process.parent.name like "python*" and process.parent.args like~ (
 76    "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*"
 77  )) or
 78  (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or
 79  (process.parent.name == "node" and process.parent.args like~ (
 80    "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*",
 81    "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*"
 82    ) and
 83    not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") 
 84  ) or
 85  (process.parent.name == "java" and process.parent.args like~ (
 86    /* Tomcat */
 87    "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*",
 88
 89    /* Jetty */
 90    "org.eclipse.jetty.start.Main", "-Djetty.home=*",
 91
 92    /* WildFly / JBoss */
 93    "org.jboss.modules.Main", "-Djboss.home.dir=*",
 94
 95    /* WebLogic */
 96    "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*",
 97
 98    /* WebSphere traditional + Liberty */
 99    "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap",
100
101    /* GlassFish */
102    "com.sun.enterprise.glassfish.bootstrap.ASMain",
103
104    /* Resin */
105    "com.caucho.server.resin.Resin",
106
107    /* Spring Boot */
108    "org.springframework.boot.loader.*",
109
110    /* Quarkus */
111    "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain",
112
113    /* Micronaut */
114    "io.micronaut.runtime.Micronaut",
115
116    /* Dropwizard */
117    "io.dropwizard.cli.ServerCommand",
118
119    /* Play */
120    "play.core.server.ProdServerStart",
121
122    /* Helidon */
123    "io.helidon.microprofile.server.Main", "io.helidon.webserver*",
124
125    /* Vert.x */
126    "io.vertx.core.Launcher",
127
128    /* Keycloak */
129    "org.keycloak*",
130
131    /* Apereo CAS */
132    "org.apereo.cas*",
133
134    /* Elasticsearch */
135    "org.elasticsearch.bootstrap.Elasticsearch",
136
137    /* Atlassian / Gerrit */
138    "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon",
139
140    /* Solr */
141    "*-Dsolr.solr.home=*"
142    )
143  )
144) and
145process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
146process.args in ("-c", "-cl", "-lc") and (
147  process.args like (
148    /* Suspicious Paths */
149    "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*",
150
151    /* Interpreter Execution */
152    "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *",
153
154    /* Encoding / Decoding */
155    "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *",
156
157    /* Reverse Shells */
158    "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*",
159
160    /* File Access */
161    "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*",
162      
163    /* AWS Credentials */
164    "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
165    "*access_key*", "*.aws/credentials*", "*/.aws/config*",
166    
167    /* Azure Credentials */
168    "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*",
169    "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*",
170    "*/run/secrets/azure/*",
171    
172    /* GCP Credentials */
173    "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*",
174    "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*",
175    
176    /* Misc. Cloud */
177    "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*",
178
179    /* Helpers */
180    "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*",
181
182    /* Miscellaneous */
183    "*echo *", "*chattr *", "*busybox *",  "*#!*", "*chmod +x *", "*chmod 777*", 
184    
185    /* Decompression */
186    "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*",
187     
188     /* Path Traversal */
189     "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*",
190
191     "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*"
192  ) or
193  (
194    process.args like ("*wget *", "*curl *") and (
195      (
196        process.args like~ ("* -o *", "* --output*", "* -o- *") and
197        process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*"
198      ) or
199      (
200        process.args like ("*http://*", "*https://*") and
201        process.args like (
202          "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*",
203          "* /home/*", "* /run/*", "* /var/run/*"
204        )
205      )
206    )
207  )
208) and
209not (
210  (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or
211  (process.parent.name == "apache2" and (
212    process.args in (
213      "/usr/local/bin/php -r 'echo phpversion();'",
214      "/usr/local/bin/php -r 'echo phpversion();'",
215      "/usr/bin/php -r 'echo phpversion();'"
216    ) or
217    process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*"""
218    )
219  ) or
220  (process.parent.name like "php-fpm*" and process.args in (
221    "/usr/bin/php -r 'echo phpversion();'",
222    "/usr/bin/php -r 'echo phpversion();'",
223    "php -r 'print_r(phpversion());'",
224    "chattr -i -a /usr/local/virtualizor/license2.php"
225    )
226  ) or
227  (process.parent.name == "php-cgi" and process.args like (
228    "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &",
229    "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &",
230    "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &",
231    "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &"
232    )
233  )
234)
235'''
236
237[[rule.threat]]
238framework = "MITRE ATT&CK"
239
240[rule.threat.tactic]
241name = "Persistence"
242id = "TA0003"
243reference = "https://attack.mitre.org/tactics/TA0003/"
244
245[[rule.threat.technique]]
246id = "T1505"
247name = "Server Software Component"
248reference = "https://attack.mitre.org/techniques/T1505/"
249
250[[rule.threat.technique.subtechnique]]
251id = "T1505.003"
252name = "Web Shell"
253reference = "https://attack.mitre.org/techniques/T1505/003/"
254
255[[rule.threat]]
256framework = "MITRE ATT&CK"
257
258[rule.threat.tactic]
259name = "Execution"
260id = "TA0002"
261reference = "https://attack.mitre.org/tactics/TA0002/"
262
263[[rule.threat.technique]]
264id = "T1059"
265name = "Command and Scripting Interpreter"
266reference = "https://attack.mitre.org/techniques/T1059/"
267
268[[rule.threat.technique.subtechnique]]
269id = "T1059.004"
270name = "Unix Shell"
271reference = "https://attack.mitre.org/techniques/T1059/004/"
272
273[[rule.threat]]
274framework = "MITRE ATT&CK"
275
276[rule.threat.tactic]
277name = "Command and Control"
278id = "TA0011"
279reference = "https://attack.mitre.org/tactics/TA0011/"
280
281[[rule.threat.technique]]
282name = "Application Layer Protocol"
283id = "T1071"
284reference = "https://attack.mitre.org/techniques/T1071/"