Linux Webshell Indicators

calendar Nov 2, 2023 · attack.persistence attack.t1505.003  ·
Share on: linkedin copy

Detects suspicious sub processes of web server processes

Sigma rule (View on GitHub)

 1title: Linux Webshell Indicators
 2id: 818f7b24-0fba-4c49-a073-8b755573b9c7
 3status: test
 4description: Detects suspicious sub processes of web server processes
 5references:
 6    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
 7    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2021/10/15
10modified: 2022/12/28
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_general:
19        ParentImage|endswith:
20            - '/httpd'
21            - '/lighttpd'
22            - '/nginx'
23            - '/apache2'
24            - '/node'
25            - '/caddy'
26    selection_tomcat:
27        ParentCommandLine|contains|all:
28            - '/bin/java'
29            - 'tomcat'
30    selection_websphere:  # ? just guessing
31        ParentCommandLine|contains|all:
32            - '/bin/java'
33            - 'websphere'
34    sub_processes:
35        Image|endswith:
36            - '/whoami'
37            - '/ifconfig'
38            - '/ip'
39            - '/bin/uname'
40            - '/bin/cat'
41            - '/bin/crontab'
42            - '/hostname'
43            - '/iptables'
44            - '/netstat'
45            - '/pwd'
46            - '/route'
47    condition: 1 of selection_* and sub_processes
48falsepositives:
49    - Web applications that invoke Linux command line tools
50level: high

References

  • Web Shells 101 Using PHP (Web Shells Part 2) | Acunetix

    Second part in the series: An Introduction to Web Shells. Here we focus on Web-shells 101 using PHP - the most widely-used programming language on the web


    Read More

  • %PDF-1.6 %âãÏÓ 1276 0 obj endobj 1306 0 obj /Filter/FlateDecode/ID[ ]/Index[1276 48]/Info 1275 0 R/Length 136/Prev 491239/Root 1277 0 R/Size 1324/Type/XRef/W[1 3 1]>>stream hÞbbd```b``ù"Ö€H¦› ’µ...


    Read More

Related rules

to-top