Linux Webshell Indicators
Detects suspicious sub processes of web server processes
Sigma rule (View on GitHub)
1title: Linux Webshell Indicators
2id: 818f7b24-0fba-4c49-a073-8b755573b9c7
3status: test
4description: Detects suspicious sub processes of web server processes
5references:
6 - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
7 - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021-10-15
10modified: 2022-12-28
11tags:
12 - attack.persistence
13 - attack.t1505.003
14logsource:
15 product: linux
16 category: process_creation
17detection:
18 selection_general:
19 ParentImage|endswith:
20 - '/httpd'
21 - '/lighttpd'
22 - '/nginx'
23 - '/apache2'
24 - '/node'
25 - '/caddy'
26 selection_tomcat:
27 ParentCommandLine|contains|all:
28 - '/bin/java'
29 - 'tomcat'
30 selection_websphere: # ? just guessing
31 ParentCommandLine|contains|all:
32 - '/bin/java'
33 - 'websphere'
34 sub_processes:
35 Image|endswith:
36 - '/whoami'
37 - '/ifconfig'
38 - '/ip'
39 - '/bin/uname'
40 - '/bin/cat'
41 - '/bin/crontab'
42 - '/hostname'
43 - '/iptables'
44 - '/netstat'
45 - '/pwd'
46 - '/route'
47 condition: 1 of selection_* and sub_processes
48falsepositives:
49 - Web applications that invoke Linux command line tools
50level: high
References
Related rules
- Antivirus Web Shell Detection
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access