Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Sigma rule (View on GitHub)

 1title: Suspicious Process By Web Server Process
 2id: 8202070f-edeb-4d31-a010-a26c72ac5600
 3status: test
 4description: |
 5        Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
 6references:
 7    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
 8author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 9date: 2019-01-16
10modified: 2024-11-26
11tags:
12    - attack.persistence
13    - attack.initial-access
14    - attack.t1505.003
15    - attack.t1190
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_webserver_image:
21        ParentImage|endswith:
22            - '\caddy.exe'
23            - '\httpd.exe'
24            - '\nginx.exe'
25            - '\php-cgi.exe'
26            - '\php.exe'
27            - '\tomcat.exe'
28            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
29            - '\w3wp.exe'
30            - '\ws_TomcatService.exe'
31    selection_webserver_characteristics_tomcat1:
32        ParentImage|endswith:
33            - '\java.exe'
34            - '\javaw.exe'
35        ParentImage|contains:
36            - '-tomcat-'
37            - '\tomcat'
38    selection_webserver_characteristics_tomcat2:
39        ParentImage|endswith:
40            - '\java.exe'
41            - '\javaw.exe'
42        ParentCommandLine|contains:
43            - 'CATALINA_HOME'
44            - 'catalina.home'
45            - 'catalina.jar'
46    selection_anomaly_children:
47        Image|endswith:
48            - '\arp.exe'
49            - '\at.exe'
50            - '\bash.exe'
51            - '\bitsadmin.exe'
52            - '\certutil.exe'
53            - '\cmd.exe'
54            - '\cscript.exe'
55            - '\dsget.exe'
56            - '\hostname.exe'
57            - '\nbtstat.exe'
58            - '\net.exe'
59            - '\net1.exe'
60            - '\netdom.exe'
61            - '\netsh.exe'
62            - '\nltest.exe'
63            - '\ntdsutil.exe'
64            - '\powershell_ise.exe'
65            - '\powershell.exe'
66            - '\pwsh.exe'
67            - '\qprocess.exe'
68            - '\query.exe'
69            - '\qwinsta.exe'
70            - '\reg.exe'
71            - '\rundll32.exe'
72            - '\sc.exe'
73            - '\sh.exe'
74            - '\wmic.exe'
75            - '\wscript.exe'
76            - '\wusa.exe'
77    filter_main_fp_1:
78        ParentImage|endswith: '\java.exe'
79        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
80    filter_main_fp_2:
81        ParentImage|endswith: '\java.exe'
82        CommandLine|contains|all:
83            - 'sc query'
84            - 'ADManager Plus'
85    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
86falsepositives:
87    - Particular web applications may spawn a shell process legitimately
88level: high

References

Related rules

to-top