Php Inline Command Execution
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
Sigma rule (View on GitHub)
1title: Php Inline Command Execution
2id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
3status: test
4description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
5references:
6 - https://www.php.net/manual/en/features.commandline.php
7 - https://www.revshells.com/
8 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/01/02
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\php.exe'
20 - OriginalFileName: 'php.exe'
21 selection_cli:
22 CommandLine|contains: ' -r'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
-
Spawning php-win.exe as a child process to handle scripting in Windows applications has a few quirks (all having to do with pipes between Windows apps and console apps). To do this in C++: // We wi...
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More -
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More
Related rules
- Perl Inline Command Execution
- Ruby Inline Command Execution
- Suspicious Execution via macOS Script Editor
- Use of Pcalua For Execution
- DarkGate - Autoit3.EXE Execution Parameters