Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Sigma rule (View on GitHub)

 1title: Suspicious Process By Web Server Process
 2id: 8202070f-edeb-4d31-a010-a26c72ac5600
 3status: test
 4description: |
 5        Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
 6references:
 7    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
 8author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 9date: 2019-01-16
10modified: 2023-11-11
11tags:
12    - attack.persistence
13    - attack.t1505.003
14    - attack.t1190
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_webserver_image:
20        ParentImage|endswith:
21            - '\caddy.exe'
22            - '\httpd.exe'
23            - '\nginx.exe'
24            - '\php-cgi.exe'
25            - '\php.exe'
26            - '\tomcat.exe'
27            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
28            - '\w3wp.exe'
29            - '\ws_TomcatService.exe'
30    selection_webserver_characteristics_tomcat1:
31        ParentImage|endswith:
32            - '\java.exe'
33            - '\javaw.exe'
34        ParentImage|contains:
35            - '-tomcat-'
36            - '\tomcat'
37    selection_webserver_characteristics_tomcat2:
38        ParentImage|endswith:
39            - '\java.exe'
40            - '\javaw.exe'
41        ParentCommandLine|contains:
42            - 'CATALINA_HOME'
43            - 'catalina.home'
44            - 'catalina.jar'
45    selection_anomaly_children:
46        Image|endswith:
47            - '\arp.exe'
48            - '\at.exe'
49            - '\bash.exe'
50            - '\bitsadmin.exe'
51            - '\certutil.exe'
52            - '\cmd.exe'
53            - '\cscript.exe'
54            - '\dsget.exe'
55            - '\hostname.exe'
56            - '\nbtstat.exe'
57            - '\net.exe'
58            - '\net1.exe'
59            - '\netdom.exe'
60            - '\netsh.exe'
61            - '\nltest.exe'
62            - '\ntdutil.exe'
63            - '\powershell_ise.exe'
64            - '\powershell.exe'
65            - '\pwsh.exe'
66            - '\qprocess.exe'
67            - '\query.exe'
68            - '\qwinsta.exe'
69            - '\reg.exe'
70            - '\rundll32.exe'
71            - '\sc.exe'
72            - '\sh.exe'
73            - '\wmic.exe'
74            - '\wscript.exe'
75            - '\wusa.exe'
76    filter_main_fp_1:
77        ParentImage|endswith: '\java.exe'
78        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
79    filter_main_fp_2:
80        ParentImage|endswith: '\java.exe'
81        CommandLine|contains|all:
82            - 'sc query'
83            - 'ADManager Plus'
84    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
85falsepositives:
86    - Particular web applications may spawn a shell process legitimately
87level: high

References

Related rules

to-top