Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help com
title: Webshell Tool Reconnaissance Activity
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: test
description: |
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
references:
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
author: Cian Heasley, Florian Roth (Nextron Systems)
date: 2020-07-22
modified: 2023-11-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.jar'
selection_recon:
CommandLine|contains:
- 'perl --help'
- 'perl -h'
- 'python --help'
- 'python -h'
- 'python3 --help'
- 'python3 -h'
- 'wget --help'
condition: 1 of selection_webserver_* and selection_recon
falsepositives:
- Unknown
level: high
imProcessCreate
| where (((ParentProcessName endswith "\\caddy.exe" or ParentProcessName endswith "\\httpd.exe" or ParentProcessName endswith "\\nginx.exe" or ParentProcessName endswith "\\php-cgi.exe" or ParentProcessName endswith "\\w3wp.exe" or ParentProcessName endswith "\\ws_tomcatservice.exe") or (ActingProcessName endswith "\\caddy.exe" or ActingProcessName endswith "\\httpd.exe" or ActingProcessName endswith "\\nginx.exe" or ActingProcessName endswith "\\php-cgi.exe" or ActingProcessName endswith "\\w3wp.exe" or ActingProcessName endswith "\\ws_tomcatservice.exe")) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and ((ParentProcessName contains "-tomcat-" or ParentProcessName contains "\\tomcat") or (ActingProcessName contains "-tomcat-" or ActingProcessName contains "\\tomcat"))) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and (TargetProcessCommandLine contains "CATALINA_HOME" or TargetProcessCommandLine contains "catalina.jar"))) and (TargetProcessCommandLine contains "perl --help" or TargetProcessCommandLine contains "perl -h" or TargetProcessCommandLine contains "python --help" or TargetProcessCommandLine contains "python -h" or TargetProcessCommandLine contains "python3 --help" or TargetProcessCommandLine contains "python3 -h" or TargetProcessCommandLine contains "wget --help")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |