Php Inline Command Execution
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
Sigma rule (View on GitHub)
1title: Php Inline Command Execution
2id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
3status: test
4description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
5references:
6 - https://www.php.net/manual/en/features.commandline.php
7 - https://www.revshells.com/
8 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-02
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\php.exe'
20 - OriginalFileName: 'php.exe'
21 selection_cli:
22 CommandLine|contains: ' -r'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
-
PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More -
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created