Suspicious sub-processes spawned by web server processes may indicate the presence of a Linux webshell used for persistent command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential webshell-based attacks before they lead to data exfiltration or system compromise.
Detection Rule
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
imProcessCreate
| where (((ParentProcessName endswith "/httpd" or ParentProcessName endswith "/lighttpd" or ParentProcessName endswith "/nginx" or ParentProcessName endswith "/apache2" or ParentProcessName endswith "/node" or ParentProcessName endswith "/caddy") or (ActingProcessName endswith "/httpd" or ActingProcessName endswith "/lighttpd" or ActingProcessName endswith "/nginx" or ActingProcessName endswith "/apache2" or ActingProcessName endswith "/node" or ActingProcessName endswith "/caddy")) or (ActingProcessCommandLine contains "/bin/java" and ActingProcessCommandLine contains "tomcat") or (ActingProcessCommandLine contains "/bin/java" and ActingProcessCommandLine contains "websphere")) and (TargetProcessName endswith "/whoami" or TargetProcessName endswith "/ifconfig" or TargetProcessName endswith "/ip" or TargetProcessName endswith "/bin/uname" or TargetProcessName endswith "/bin/cat" or TargetProcessName endswith "/bin/crontab" or TargetProcessName endswith "/hostname" or TargetProcessName endswith "/iptables" or TargetProcessName endswith "/netstat" or TargetProcessName endswith "/pwd" or TargetProcessName endswith "/route")Scenario: Cron Job Running a Legitimate Script
Description: A scheduled job (e.g., /etc/cron.daily/logrotate) is executing a script that spawns a sub-process, which is flagged as a webshell.
Filter/Exclusion: Exclude processes initiated by cron and matching known legitimate scripts (e.g., logrotate, rsyslog, fail2ban).
Example Filter: process.parent_process_name = "cron" AND process.command_line LIKE "%logrotate%"
Scenario: System Monitoring Tool Generating Sub-Processes
Description: A system monitoring tool like nagios or zabbix spawns sub-processes to check service status, which could be mistaken for a webshell.
Filter/Exclusion: Exclude processes associated with monitoring tools (e.g., nagios, zabbix_agentd, check_http).
Example Filter: process.name IN ("nagios", "zabbix_agentd")
Scenario: Admin Performing Manual Server Maintenance
Description: An admin is manually running a script (e.g., ./backup.sh) that includes a sub-process, which is flagged as suspicious.
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root, admin) and matching known maintenance scripts.
Example Filter: process.user IN ("root", "admin") AND process.command_line LIKE "%backup.sh%"
Scenario: Web Server Restart via Systemd
Description: A systemd service (e.g., apache2) is being restarted, which triggers a sub-process that matches the rule’s logic.
Filter/Exclusion: Exclude processes initiated by systemd and related to web server restarts.
Example Filter: `process.parent_process_name = “systemd”