Web Server Exploitation Detected via Defend for Containers

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts. Attackers may upload a web shell to a web server to maintain access to the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/02/06"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/06/01"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the exploitation of a web server through the execution of a suspicious process by common web server
 13user accounts. Attackers may upload a web shell to a web server to maintain access to the system.
 14"""
 15from = "now-6m"
 16index = ["logs-cloud_defend.process*"]
 17interval = "5m"
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Web Server Exploitation Detected via Defend for Containers"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Web Server Exploitation Detected via Defend for Containers
 27
 28This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell).
 29
 30### Possible investigation steps
 31
 32- Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior.  
 33- Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation.  
 34- Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs.  
 35- Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise.  
 36- Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure.
 37
 38### False positive analysis
 39
 40- A web application or server-side script running under the web-service account legitimately invokes `sh -c` (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as `/var/www/*`, causing the web server to spawn a shell child process.  
 41- During container startup or a deployment/health-check routine, the web server process launches a shell via `sh -c` to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further `sh -c` execution and potential C2.  
 46- Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories.  
 47- Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys).  
 48- Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads.  
 49- Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces.  
 50- Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint."""
 51risk_score = 73
 52rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852"
 53severity = "high"
 54tags = [
 55    "Data Source: Elastic Defend for Containers",
 56    "Domain: Container",
 57    "OS: Linux",
 58    "Use Case: Threat Detection",
 59    "Tactic: Persistence",
 60    "Tactic: Execution",
 61    "Tactic: Command and Control",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and
 68container.id like "?*" and (
 69  process.parent.name in (
 70    "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask",
 71    "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman"
 72  ) or
 73  process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or
 74  (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or
 75  (process.parent.name like "python*" and process.parent.args like~ (
 76    "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*"
 77  )) or
 78  (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or
 79  (process.parent.name == "node" and process.parent.args like~ (
 80    "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*",
 81    "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*"
 82    ) and
 83    not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") 
 84  ) or
 85  (process.parent.name == "java" and process.parent.args like~ (
 86    /* Tomcat */
 87    "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*",
 88
 89    /* Jetty */
 90    "org.eclipse.jetty.start.Main", "-Djetty.home=*",
 91
 92    /* WildFly / JBoss */
 93    "org.jboss.modules.Main", "-Djboss.home.dir=*",
 94
 95    /* WebLogic */
 96    "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*",
 97
 98    /* WebSphere traditional + Liberty */
 99    "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap",
100
101    /* GlassFish */
102    "com.sun.enterprise.glassfish.bootstrap.ASMain",
103
104    /* Resin */
105    "com.caucho.server.resin.Resin",
106
107    /* Spring Boot */
108    "org.springframework.boot.loader.*",
109
110    /* Quarkus */
111    "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain",
112
113    /* Micronaut */
114    "io.micronaut.runtime.Micronaut",
115
116    /* Dropwizard */
117    "io.dropwizard.cli.ServerCommand",
118
119    /* Play */
120    "play.core.server.ProdServerStart",
121
122    /* Helidon */
123    "io.helidon.microprofile.server.Main", "io.helidon.webserver*",
124
125    /* Vert.x */
126    "io.vertx.core.Launcher",
127
128    /* Keycloak */
129    "org.keycloak*",
130
131    /* Apereo CAS */
132    "org.apereo.cas*",
133
134    /* Elasticsearch */
135    "org.elasticsearch.bootstrap.Elasticsearch",
136
137    /* Atlassian / Gerrit */
138    "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon",
139
140    /* Solr */
141    "*-Dsolr.solr.home=*",
142
143    /* Jenkins */
144    "*jenkins.war*"
145    )
146  )
147) and
148process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh", "busybox") and
149process.args in ("-c", "-cl", "-lc") and (
150  process.args like (
151    /* Suspicious Paths */
152    "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*",
153
154    /* Interpreter Execution */
155    "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *",
156
157    /* Encoding / Decoding */
158    "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *",
159
160    /* Reverse Shells */
161    "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*",
162
163    /* File Access */
164    "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*",
165      
166    /* AWS Credentials */
167    "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
168    "*access_key*", "*.aws/credentials*", "*/.aws/config*",
169    
170    /* Azure Credentials */
171    "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*",
172    "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*",
173    "*/run/secrets/azure/*",
174    
175    /* GCP Credentials */
176    "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*",
177    "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*",
178    
179    /* Misc. Cloud */
180    "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*",
181
182    /* Helpers */
183    "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*",
184
185    /* Miscellaneous */
186    "*echo *", "*chattr *", "*busybox *",  "*#!*", "*chmod +x *", "*chmod 777*", 
187    
188    /* Decompression */
189    "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*",
190     
191     /* Path Traversal */
192     "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*",
193
194     "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*"
195  ) or
196  (
197    process.args like ("*wget *", "*curl *") and (
198      (
199        process.args like~ ("* -o *", "* --output*", "* -o- *") and
200        process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*"
201      ) or
202      (
203        process.args like ("*http://*", "*https://*") and
204        process.args like (
205          "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*",
206          "* /home/*", "* /run/*", "* /var/run/*"
207        )
208      )
209    )
210  )
211) and
212not (
213  (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or
214  (process.parent.name == "apache2" and (
215    process.args in (
216      "/usr/local/bin/php -r 'echo phpversion();'",
217      "/usr/local/bin/php -r 'echo phpversion();'",
218      "/usr/bin/php -r 'echo phpversion();'"
219    ) or
220    process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*"""
221    )
222  ) or
223  (process.parent.name like "php-fpm*" and process.args in (
224    "/usr/bin/php -r 'echo phpversion();'",
225    "/usr/bin/php -r 'echo phpversion();'",
226    "php -r 'print_r(phpversion());'",
227    "chattr -i -a /usr/local/virtualizor/license2.php"
228    )
229  ) or
230  (process.parent.name == "php-cgi" and process.args like (
231    "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &",
232    "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &",
233    "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &",
234    "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &"
235    )
236  )
237)
238'''
239
240[[rule.threat]]
241framework = "MITRE ATT&CK"
242
243[[rule.threat.technique]]
244id = "T1505"
245name = "Server Software Component"
246reference = "https://attack.mitre.org/techniques/T1505/"
247
248[[rule.threat.technique.subtechnique]]
249id = "T1505.003"
250name = "Web Shell"
251reference = "https://attack.mitre.org/techniques/T1505/003/"
252
253[rule.threat.tactic]
254id = "TA0003"
255name = "Persistence"
256reference = "https://attack.mitre.org/tactics/TA0003/"
257
258[[rule.threat]]
259framework = "MITRE ATT&CK"
260
261[[rule.threat.technique]]
262id = "T1059"
263name = "Command and Scripting Interpreter"
264reference = "https://attack.mitre.org/techniques/T1059/"
265
266[[rule.threat.technique.subtechnique]]
267id = "T1059.004"
268name = "Unix Shell"
269reference = "https://attack.mitre.org/techniques/T1059/004/"
270
271[rule.threat.tactic]
272id = "TA0002"
273name = "Execution"
274reference = "https://attack.mitre.org/tactics/TA0002/"
275
276[[rule.threat]]
277framework = "MITRE ATT&CK"
278
279[[rule.threat.technique]]
280id = "T1071"
281name = "Application Layer Protocol"
282reference = "https://attack.mitre.org/techniques/T1071/"
283
284[[rule.threat.technique]]
285id = "T1095"
286name = "Non-Application Layer Protocol"
287reference = "https://attack.mitre.org/techniques/T1095/"
288
289[[rule.threat.technique]]
290id = "T1105"
291name = "Ingress Tool Transfer"
292reference = "https://attack.mitre.org/techniques/T1105/"
293
294[rule.threat.tactic]
295id = "TA0011"
296name = "Command and Control"
297reference = "https://attack.mitre.org/tactics/TA0011/"
298
299[[rule.threat]]
300framework = "MITRE ATT&CK"
301
302[[rule.threat.technique]]
303id = "T1552"
304name = "Unsecured Credentials"
305reference = "https://attack.mitre.org/techniques/T1552/"
306
307[[rule.threat.technique.subtechnique]]
308id = "T1552.001"
309name = "Credentials In Files"
310reference = "https://attack.mitre.org/techniques/T1552/001/"
311
312[rule.threat.tactic]
313id = "TA0006"
314name = "Credential Access"
315reference = "https://attack.mitre.org/tactics/TA0006/"
316
317[[rule.threat]]
318framework = "MITRE ATT&CK"
319
320[[rule.threat.technique]]
321id = "T1190"
322name = "Exploit Public-Facing Application"
323reference = "https://attack.mitre.org/techniques/T1190/"
324
325[rule.threat.tactic]
326id = "TA0001"
327name = "Initial Access"
328reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Web Server Exploitation Detected via Defend for Containers

This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch sh -c and pull or run a secondary payload (e.g., reverse shell).

Possible investigation steps

  • Capture the full executed command line and decode/normalize any obfuscation (base64, hex, URL encoding) to determine the operator intent and any payload retrieval or reverse-shell behavior.
  • Correlate the execution timestamp with web access/error logs and ingress/WAF events to identify the triggering request path, parameters, and source IP/user-agent indicating RCE or web-shell invocation.
  • Inspect recent file and permission changes in the container’s application and web directories (including temp and upload paths) to identify newly dropped scripts/binaries, cron entries, or modified server configs.
  • Review container and orchestration context (image tag/digest, recent deploys, exec sessions, and Kubernetes events) to determine whether the activity aligns with a legitimate rollout or represents in-container compromise.
  • Check network telemetry for the container around the event for suspicious outbound connections, DNS lookups, or downloads, then pivot to any contacted hosts to assess command-and-control or staging infrastructure.

False positive analysis

  • A web application or server-side script running under the web-service account legitimately invokes sh -c (e.g., to run maintenance tasks like log rotation, cache rebuilds, file conversions, or templating/asset compilation) from a web directory such as /var/www/*, causing the web server to spawn a shell child process.
  • During container startup or a deployment/health-check routine, the web server process launches a shell via sh -c to perform initialization (e.g., environment substitution, dynamic configuration generation, permission fixes, or calling bundled helper scripts), which can resemble exploitation when the parent is a web server and the child is a shell.

Response and remediation

  • Immediately isolate the affected container/pod from inbound and outbound traffic (quarantine namespace/security group or apply a deny-all NetworkPolicy) and stop the workload to prevent further sh -c execution and potential C2.
  • Preserve evidence by exporting the container filesystem and logs (web access/error logs, application logs, and process output) and capture the exact shell command string and any downloaded payloads or newly created files in web roots, temp, and upload directories.
  • Eradicate by removing any identified web shells/backdoors and reverting unauthorized changes, then rebuild and redeploy the service from a known-good image digest while rotating secrets exposed to the container (service tokens, database creds, API keys).
  • Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads.
  • Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar sh -c executions are observed across multiple containers/namespaces.
  • Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint.

Related rules

to-top