Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Sigma rule (View on GitHub)
1title: Suspicious Process By Web Server Process
2id: 8202070f-edeb-4d31-a010-a26c72ac5600
3status: test
4description: |
5 Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
6references:
7 - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
8author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
9date: 2019-01-16
10modified: 2024-11-26
11tags:
12 - attack.persistence
13 - attack.t1505.003
14 - attack.t1190
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_webserver_image:
20 ParentImage|endswith:
21 - '\caddy.exe'
22 - '\httpd.exe'
23 - '\nginx.exe'
24 - '\php-cgi.exe'
25 - '\php.exe'
26 - '\tomcat.exe'
27 - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
28 - '\w3wp.exe'
29 - '\ws_TomcatService.exe'
30 selection_webserver_characteristics_tomcat1:
31 ParentImage|endswith:
32 - '\java.exe'
33 - '\javaw.exe'
34 ParentImage|contains:
35 - '-tomcat-'
36 - '\tomcat'
37 selection_webserver_characteristics_tomcat2:
38 ParentImage|endswith:
39 - '\java.exe'
40 - '\javaw.exe'
41 ParentCommandLine|contains:
42 - 'CATALINA_HOME'
43 - 'catalina.home'
44 - 'catalina.jar'
45 selection_anomaly_children:
46 Image|endswith:
47 - '\arp.exe'
48 - '\at.exe'
49 - '\bash.exe'
50 - '\bitsadmin.exe'
51 - '\certutil.exe'
52 - '\cmd.exe'
53 - '\cscript.exe'
54 - '\dsget.exe'
55 - '\hostname.exe'
56 - '\nbtstat.exe'
57 - '\net.exe'
58 - '\net1.exe'
59 - '\netdom.exe'
60 - '\netsh.exe'
61 - '\nltest.exe'
62 - '\ntdsutil.exe'
63 - '\powershell_ise.exe'
64 - '\powershell.exe'
65 - '\pwsh.exe'
66 - '\qprocess.exe'
67 - '\query.exe'
68 - '\qwinsta.exe'
69 - '\reg.exe'
70 - '\rundll32.exe'
71 - '\sc.exe'
72 - '\sh.exe'
73 - '\wmic.exe'
74 - '\wscript.exe'
75 - '\wusa.exe'
76 filter_main_fp_1:
77 ParentImage|endswith: '\java.exe'
78 CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
79 filter_main_fp_2:
80 ParentImage|endswith: '\java.exe'
81 CommandLine|contains|all:
82 - 'sc query'
83 - 'ADManager Plus'
84 condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
85falsepositives:
86 - Particular web applications may spawn a shell process legitimately
87level: high
References
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Oracle WebLogic Exploit
- Suspicious Child Process Of SQL Server
- Suspicious File Drop by Exchange
- Suspicious MSExchangeMailboxReplication ASPX Write