Unusual Child Execution via Web Server

  1[metadata]
  2creation_date = "2026/06/01"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/06/01"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the "new_terms" rule type to detect unusual child process executions originating
 11from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence
 12on a compromised system, often resulting in atypical child process executions. As child process spawns
 13from web server parent processes are common, the "new_terms" rule type approach helps identify deviations
 14from normal behavior.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.process*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Unusual Child Execution via Web Server"
 21note = """ ## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Unusual Child Execution via Web Server
 27
 28This alert flags a Linux web service starting a child program it does not normally launch, which can reveal a compromised application server being used for persistence or follow-on actions. A common pattern is an attacker exploiting a web app bug, then making nginx, Apache, or a Python app server spawn a shell or script interpreter that downloads tools, runs system commands, or installs a backdoor under the web service context.
 29
 30### Possible investigation steps
 31
 32- Review the full parent-to-descendant execution chain to determine whether the web service launched a shell, interpreter, downloader, or archive utility that then executed additional payloads.
 33- Correlate the process start time with web access, error, reverse-proxy, and WAF logs to identify the triggering request, source IP, requested path, upload activity, and signs of exploitation such as command injection or remote file inclusion.
 34- Determine whether the spawned program is part of a legitimate deployment or maintenance task by validating its file path, package ownership, hash, modification time, deployment records, and recent change windows.
 35- Examine activity under the web service account around the alert for suspicious file writes, new scheduled tasks or service entries, privilege escalation attempts, credential access, and unusual outbound network connections.
 36- If the execution is not explained by approved application behavior, contain the affected host or web service, preserve forensic artifacts, remove unauthorized files or persistence mechanisms, rotate exposed secrets, and hunt for the same behavior across other internet-facing servers.
 37
 38### False positive analysis
 39
 40- A newly deployed or updated web application may legitimately cause the web server or app server to launch a previously unseen helper binary for application functionality, so verify the child executable path, package ownership, and command line against recent approved deployment or configuration changes.
 41- A CGI, FastCGI, or application framework process may spawn a custom maintenance or content-processing program only for specific requests, so confirm the parent-child relationship by correlating the execution time and arguments with the triggering web request and expected application behavior.
 42
 43### Response and remediation
 44
 45- Immediately isolate the affected Linux web host or remove it from the load balancer, stop the compromised web service if business impact allows, and block the source IPs and outbound destinations associated with the malicious child process and any follow-on downloads.
 46- Preserve forensic evidence and remove persistence by collecting the suspicious executable or script, web-accessible backdoors, recent uploads, cron jobs, systemd service files, rc.local changes, modified SSH authorized_keys entries, and any attacker-created accounts before deleting them.
 47- Terminate all attacker-controlled processes spawned by the web service, then delete dropped payloads and staging files from locations such as /tmp, /var/tmp, /dev/shm, and the web root, and revert any unauthorized permission, sudoers, or startup changes used to maintain execution.
 48- Restore the application and host to a known-good state by rebuilding from a trusted image or clean backup, redeploying verified packages and web content, rotating credentials and tokens exposed on the server, and confirming no unauthorized binaries or modified files remain.
 49- Escalate to incident response immediately if the web child process launched a shell or interpreter, established outbound command-and-control traffic, modified authentication material, moved laterally, or if sensitive data, production secrets, or customer-facing systems may have been exposed.
 50- Harden the environment by patching the exploited web component, disabling unnecessary script execution from upload and web content directories, enforcing least privilege for the web service account, restricting outbound network access, and expanding monitoring for similar child-process launches and persistence artifacts across peer web servers.
 51
 52"""
 53risk_score = 47
 54rule_id = "b2f0ea08-2b60-4a2d-93d7-fe996a30031a"
 55severity = "medium"
 56tags = [
 57  "Domain: Endpoint",
 58  "Domain: Web",
 59  "OS: Linux",
 60  "Use Case: Threat Detection",
 61  "Tactic: Persistence",
 62  "Data Source: Elastic Defend",
 63  "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "new_terms"
 67query = '''
 68event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
 69  process.parent.name:(
 70    apache2 or asterisk or caddy or daphne or flask or frankenphp or httpd or httpd.worker or
 71    lswsctrl or mongrel_rails or nginx or php-cgi or php-cgi.cagefs or php-fcgi or starman or
 72    sw-engine-fpm or uvicorn or uwsgi or varnishd or waitress-serve or zabbix_server or *.cgi
 73    or *.fcgi or gunicorn* or php-fpm*
 74  ) or
 75  process.parent.name:ruby* and process.parent.command_line:(*passenger* or *puma* or *rails*) or
 76  process.parent.name:python* and process.parent.command_line:(
 77    *app.py* or *asgi.py* or *django* or *flask* or *hypercorn* or *server.py* or *uvicorn* or *wsgi.py*
 78  ) or
 79  process.parent.name:perl* and process.parent.command_line:*plackup* or
 80  process.parent.name:java and process.parent.args:(
 81    com.atlassian.jira.startup.Launcher or com.caucho.server.resin.Resin or com.google.gerrit.pgm.Daemon or
 82    com.ibm.ws.kernel.boot.cmdline.Bootstrap or com.ibm.ws.runtime.WsServer or
 83    com.sun.enterprise.glassfish.bootstrap.ASMain or io.dropwizard.cli.ServerCommand or
 84    io.helidon.microprofile.server.Main or io.micronaut.runtime.Micronaut or io.quarkus.runner.GeneratedMain or
 85    io.vertx.core.Launcher or org.apache.catalina.startup.Bootstrap or org.eclipse.jetty.start.Main or
 86    org.elasticsearch.bootstrap.Elasticsearch or org.jboss.modules.Main or play.core.server.ProdServerStart or
 87    weblogic.Server or *-Dsolr.solr.home=* or *BitbucketServerLauncher* or *jenkins.war* or *quarkus-run.jar* or
 88    *weblogic-launcher.jar* or -Dcatalina.base=* or -Djboss.home.dir=* or -Djetty.home=* or -Dweblogic.Name=* or
 89    io.helidon.webserver* or org.apereo.cas* or org.keycloak* or org.springframework.boot.loader.*
 90  )
 91) and
 92process.executable:* and process.command_line:* and
 93not (
 94  process.name:(
 95    arp or aws or az or base16 or base32 or base64 or base64mime or base64pem or base64plain or base64url or
 96    basenc or basez or bash or busybox or cat or chmod or chpasswd or cp or crictl or csh or ctr or curl or dash or
 97    df or dig or docker or du or fish or gcloud or helm or host or htop or ifconfig or ip or ksh or kubectl or ln or
 98    lsblk or lsof or ltrace or mkdir or mksh or mv or nc or nc.openbsd or nc.traditional or ncat or netcat or ngrok or
 99    nmap or nslookup or openssl or passwd or rm or sh or socat or ss or strace or sudo or tcpdump or tcsh or telnet or
100    top or touch or traceroute or wget or whoami or xxd or zsh or *.bin or *.elf or *.jar or *.lua* or *.mjs or
101    *.js or *.php* or *.pl or *.py or *.rb or *.sh or .*
102  ) or
103  process.executable:(
104    ./* or /boot/* or /dev/shm/* or /home/*/* or /lost+found/* or /proc/* or /root/* or /run/* or /sys/* or /tmp/* or
105    /var/mail/* or /var/run/* or /var/tmp/* or /var/www/*
106  ) or
107  process.parent.name:java and not process.parent.executable:/u0*/* or
108  process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/db_* or /u0*/app/oracle/product/*/dbhome_* or /var/www/*edoc*) or
109  process.args:(/usr/bin/rsvg-convert* or /usr/local/bin/wkhtmltopdf*) or
110  process.command_line:*/opt/sc/bin/showvulns*
111)
112'''
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116
117[[rule.threat.technique]]
118id = "T1505"
119name = "Server Software Component"
120reference = "https://attack.mitre.org/techniques/T1505/"
121
122[[rule.threat.technique.subtechnique]]
123id = "T1505.003"
124name = "Web Shell"
125reference = "https://attack.mitre.org/techniques/T1505/003/"
126
127[rule.threat.tactic]
128id = "TA0003"
129name = "Persistence"
130reference = "https://attack.mitre.org/tactics/TA0003/"
131
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134
135[[rule.threat.technique]]
136id = "T1059"
137name = "Command and Scripting Interpreter"
138reference = "https://attack.mitre.org/techniques/T1059/"
139
140[[rule.threat.technique.subtechnique]]
141id = "T1059.004"
142name = "Unix Shell"
143reference = "https://attack.mitre.org/techniques/T1059/004/"
144
145[rule.threat.tactic]
146id = "TA0002"
147name = "Execution"
148reference = "https://attack.mitre.org/tactics/TA0002/"
149
150[[rule.threat]]
151framework = "MITRE ATT&CK"
152
153[[rule.threat.technique]]
154id = "T1071"
155name = "Application Layer Protocol"
156reference = "https://attack.mitre.org/techniques/T1071/"
157
158[rule.threat.tactic]
159id = "TA0011"
160name = "Command and Control"
161reference = "https://attack.mitre.org/tactics/TA0011/"
162
163[[rule.threat]]
164framework = "MITRE ATT&CK"
165
166[[rule.threat.technique]]
167id = "T1190"
168name = "Exploit Public-Facing Application"
169reference = "https://attack.mitre.org/techniques/T1190/"
170
171[rule.threat.tactic]
172id = "TA0001"
173name = "Initial Access"
174reference = "https://attack.mitre.org/tactics/TA0001/"
175
176[rule.new_terms]
177field = "new_terms_fields"
178value = ["process.command_line", "host.id", "process.executable"]
179
180[[rule.new_terms.history_window_start]]
181field = "history_window_start"
182value = "now-7d"