Linux Webshell Indicators

Detects suspicious sub processes of web server processes

Sigma rule (View on GitHub)

 1title: Linux Webshell Indicators
 2id: 818f7b24-0fba-4c49-a073-8b755573b9c7
 3status: test
 4description: Detects suspicious sub processes of web server processes
 5references:
 6    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
 7    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2021-10-15
10modified: 2022-12-28
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_general:
19        ParentImage|endswith:
20            - '/httpd'
21            - '/lighttpd'
22            - '/nginx'
23            - '/apache2'
24            - '/node'
25            - '/caddy'
26    selection_tomcat:
27        ParentCommandLine|contains|all:
28            - '/bin/java'
29            - 'tomcat'
30    selection_websphere:  # ? just guessing
31        ParentCommandLine|contains|all:
32            - '/bin/java'
33            - 'websphere'
34    sub_processes:
35        Image|endswith:
36            - '/whoami'
37            - '/ifconfig'
38            - '/ip'
39            - '/bin/uname'
40            - '/bin/cat'
41            - '/bin/crontab'
42            - '/hostname'
43            - '/iptables'
44            - '/netstat'
45            - '/pwd'
46            - '/route'
47    condition: 1 of selection_* and sub_processes
48falsepositives:
49    - Web applications that invoke Linux command line tools
50level: high

References

Related rules

to-top