rules/windows/sysmon/sysmon_webshell_spawn.yml

title: Shells spawned by Web Servers
status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
author: Thomas Patzke
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage:
            - '*\w3wp.exe'
            - '*\httpd.exe'
            - '*\nginx.exe'
            - '*\php-cgi.exe'
        Image:
            - '*\cmd.exe'
            - '*\sh.exe'
            - '*\bash.exe'
            - '*\powershell.exe'
    condition: selection
falsepositives:
    - Particular web applications may spawn a shell process legitimately
level: high
Added experimental web 'shell_spawn' rule 2017-01-11 00:07:49 +01:00			`title: Shells spawned by Web Servers`
			`status: experimental`
			`description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`author: Thomas Patzke`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
Added experimental web 'shell_spawn' rule 2017-01-11 00:07:49 +01:00			`detection:`
			`selection:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`EventID: 1`
			`ParentImage:`
			`- '*\w3wp.exe'`
			`- '*\httpd.exe'`
			`- '*\nginx.exe'`
Modifications 2017-03-04 14:22:44 -08:00			`- '*\php-cgi.exe'`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`Image:`
			`- '*\cmd.exe'`
			`- '*\sh.exe'`
			`- '*\bash.exe'`
Modifications 2017-03-04 14:22:44 -08:00			`- '*\powershell.exe'`
Added experimental web 'shell_spawn' rule 2017-01-11 00:07:49 +01:00			`condition: selection`
			`falsepositives:`
			`- Particular web applications may spawn a shell process legitimately`
Levels to low, medium, high, critical 2017-02-16 18:02:26 +01:00			`level: high`