Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
imProcessCreate
| where (((ParentProcessName endswith "\\caddy.exe" or ParentProcessName endswith "\\httpd.exe" or ParentProcessName endswith "\\nginx.exe" or ParentProcessName endswith "\\php-cgi.exe" or ParentProcessName endswith "\\php.exe" or ParentProcessName endswith "\\tomcat.exe" or ParentProcessName endswith "\\UMWorkerProcess.exe" or ParentProcessName endswith "\\w3wp.exe" or ParentProcessName endswith "\\ws_TomcatService.exe") or (ActingProcessName endswith "\\caddy.exe" or ActingProcessName endswith "\\httpd.exe" or ActingProcessName endswith "\\nginx.exe" or ActingProcessName endswith "\\php-cgi.exe" or ActingProcessName endswith "\\php.exe" or ActingProcessName endswith "\\tomcat.exe" or ActingProcessName endswith "\\UMWorkerProcess.exe" or ActingProcessName endswith "\\w3wp.exe" or ActingProcessName endswith "\\ws_TomcatService.exe")) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and ((ParentProcessName contains "-tomcat-" or ParentProcessName contains "\\tomcat") or (ActingProcessName contains "-tomcat-" or ActingProcessName contains "\\tomcat"))) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and (ActingProcessCommandLine contains "CATALINA_HOME" or ActingProcessCommandLine contains "catalina.home" or ActingProcessCommandLine contains "catalina.jar"))) and (TargetProcessName endswith "\\arp.exe" or TargetProcessName endswith "\\at.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\dsget.exe" or TargetProcessName endswith "\\hostname.exe" or TargetProcessName endswith "\\nbtstat.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\netdom.exe" or TargetProcessName endswith "\\netsh.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\ntdsutil.exe" or TargetProcessName endswith "\\powershell_ise.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\qprocess.exe" or TargetProcessName endswith "\\query.exe" or TargetProcessName endswith "\\qwinsta.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\sc.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\wusa.exe") and (not((((ParentProcessName endswith "\\java.exe" or ActingProcessName endswith "\\java.exe") and TargetProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or ((ParentProcessName endswith "\\java.exe" or ActingProcessName endswith "\\java.exe") and (TargetProcessCommandLine contains "sc query" and TargetProcessCommandLine contains "ADManager Plus")))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |