Unusual Web Server Command Execution
This rule leverages the "new_terms" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the "new_terms" rule type approach helps to identify deviations from normal behavior.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/12/02"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/12/02"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule leverages the "new_terms" rule type to detect unusual command executions originating from web server processes on Linux systems.
11Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As
12command execution from web server parent processes is common, the "new_terms" rule type approach helps to identify deviations from normal
13behavior.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Unusual Web Server Command Execution"
20risk_score = 47
21rule_id = "65f28c4d-cfc8-4847-9cca-f2fb1e319151"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "Domain: Web",
26 "OS: Linux",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Data Source: Elastic Defend",
30]
31timestamp_override = "event.ingested"
32type = "new_terms"
33query = '''
34event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
35 process.parent.name:(
36 "apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
37 "gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
38 "tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
39 php* or ruby* or perl* or python* or "node" or "java"
40 ) or
41 user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
42 user.id:("33" or "498" or "48" or "54321")
43) and process.working_directory:(
44 /var/www/* or
45 /usr/share/nginx/* or
46 /srv/www/* or
47 /srv/http/* or
48 */webapps/* or
49 /home/*/public_html/* or
50 /home/*/www/* or
51 /opt/* or
52 /u0*/*
53) and
54process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
55not (
56 (process.parent.name:java and not process.parent.executable:/u0*/*) or
57 (process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or
58 (process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or
59 (process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or
60 (process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
61 (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
62 process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
63 process.parent.executable:/tmp/* or
64 process.args:/usr/local/bin/wkhtmltopdf*
65)
66'''
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70
71[[rule.threat.technique]]
72id = "T1505"
73name = "Server Software Component"
74reference = "https://attack.mitre.org/techniques/T1505/"
75
76[[rule.threat.technique.subtechnique]]
77id = "T1505.003"
78name = "Web Shell"
79reference = "https://attack.mitre.org/techniques/T1505/003/"
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1059"
91name = "Command and Scripting Interpreter"
92reference = "https://attack.mitre.org/techniques/T1059/"
93
94[[rule.threat.technique.subtechnique]]
95id = "T1059.004"
96name = "Unix Shell"
97reference = "https://attack.mitre.org/techniques/T1059/004/"
98
99[rule.threat.tactic]
100id = "TA0002"
101name = "Execution"
102reference = "https://attack.mitre.org/tactics/TA0002/"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1071"
109name = "Application Layer Protocol"
110reference = "https://attack.mitre.org/techniques/T1071/"
111
112[rule.threat.tactic]
113id = "TA0011"
114name = "Command and Control"
115reference = "https://attack.mitre.org/tactics/TA0011/"
116
117[rule.new_terms]
118field = "new_terms_fields"
119value = ["process.command_line"]
120
121[[rule.new_terms.history_window_start]]
122field = "history_window_start"
123value = "now-14d"
Related rules
- Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
- Pod or Container Creation with Suspicious Command-Line
- Python Path File (pth) Creation
- Python Site or User Customize File Creation
- At Job Created or Modified