Unusual Web Server Command Execution
This rule leverages the "new_terms" rule type to detect unusual command executions originating from web server processes on Linux systems. Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As command execution from web server parent processes is common, the "new_terms" rule type approach helps to identify deviations from normal behavior.
Rule type: new_terms
Rule indices:
- logs-endpoint.events.process*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- Domain: Web
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
process.parent.name:(
"apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
"gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
"tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
php* or ruby* or perl* or python* or "node" or "java"
) or
user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
user.id:("33" or "498" or "48" or "54321")
) and process.working_directory:(
/var/www/* or
/usr/share/nginx/* or
/srv/www/* or
/srv/http/* or
*/webapps/* or
/home/*/public_html/* or
/home/*/www/* or
/opt/* or
/u0*/*
) and
process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
not (
(process.parent.name:java and not process.parent.executable:/u0*/*) or
(process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or
(process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or
(process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or
(process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
(process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
process.parent.executable:/tmp/* or
process.args:/usr/local/bin/wkhtmltopdf*
)
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Server Software Component
- Id: T1505
- Reference URL: https://attack.mitre.org/techniques/T1505/
Sub Technique:
- Name: Web Shell
- Id: T1505.003
- Reference URL: https://attack.mitre.org/techniques/T1505/003/
Framework: MITRE ATT&CK
Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- Id: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub Technique:
- Name: Unix Shell
- Id: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
Framework: MITRE ATT&CK
Tactic:
- Name: Command and Control
- Id: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- Id: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/