Webshell Remote Command Execution

 1title: Webshell Remote Command Execution
 2id: c0d3734d-330f-4a03-aae2-65dacc6a8222
 3status: test
 4description: Detects possible command execution by web application/web shell
 5references:
 6    - Personal Experience of the Author
 7    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
 8author: Ilyas Ochkov, Beyu Denis, oscd.community
 9date: 2019-10-12
10modified: 2025-06-03
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: linux
16    service: auditd
17    definition: |
18        Required auditd configuration:
19        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
20        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
21        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
22        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
23        Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33        
24detection:
25    selection:
26        type: 'SYSCALL'
27        syscall:
28            - 'execve'
29            - 'execveat'
30        euid: 33
31    condition: selection
32falsepositives:
33    - Admin activity
34    - Crazy web applications
35level: critical

References

• Personal Experience of the Author

  
  Read More

• What is Command Injection? Exploitations and Security Best Practices

  

  Command injections are one of the most critical vulnerabilities in web security. This article presents how they work, exploitation methods and security best

  
  Read More

Related rules

• Suspicious Process By Web Server Process
• Chopper Webshell Process Pattern
• Webshell Detection With Command Line Keywords
• Webshell Hacking Activity Patterns
• Exchange WebShell Creation